0
Puppet Without Root
Spencer Krum
UTi Worldwide Inc.
Books
Pro Puppet 2nd Ed.*
Beginning Puppet**
*With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero
**Wit...
Intro
UTi History
UTi Goals
DevOps Role
Limitations
Intro (cont.)
Installing the Puppet client
Running the Puppet Client
Package, File, Service
Rootless Module
Intro (cont.)
Installing Puppet Master as nonroot
Installing Apache as nonroot
Installing Passenger as nonroot
Upgrading P...
UTi History
UTi Goals
DevOps Role
Limitations
No Root Acess
Each devopser has a user
Sudo to the application user
(appserv,webserv,swmgmt,tibco,fico)
Applic...
Limitations (cont)
Limited homedir space
/opt/app LVM volume, big, but not massive (20G)
Oracle Enterprise 5, not often up...
Installing the Puppet client
Libyaml built from source, separate
Ruby built from source, separate
Puppet and facter from s...
Installing the Puppet client
Puppet config in:
/opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf
Ruby/yaml located in
...
Installing the Puppet client
Drop the whole thing in via a tarball.
Massive sed -i on files.
Installing the Puppet client
Each client is in an environment
Conflate UTi environments and puppet
environments
Puppet var...
Running the Puppet Client
Source a bash file to set RUBYLIB,
LD_LIBRARY_PATH
Run Puppet with --config argument to pick up ...
Multi User
Sometimes we want to run a service as the fico
user and a separate service as the tibco on the
same machine
Certname Abuse
Set certname = user-hostname in puppet.conf:
fico-devbuild1.go2uti.com
Two node definitions in site.pp now
...
Package, File, Service
Package
Two basic methods:
Wrap an untar command in a defined type
Recursive file resource (Puppet Package Manger)
Package
We use both
class uti_httpd::base {
file { "${home_path}/httpd":
ensure => directory,
owner => $owner,
group => $group,
source => 'pup...
exec {"create-jdk-install-${install_root}":
command => "/bin/tar xvzf ${tarball_directo
cwd => $install_root,
creates => "...
File
File Type works strangely when not running as
root
$owner, $group problem
Implementation around 'write' access.
File {
owner => $owner,
group => $group,
}
file { $install_root:
ensure => directory,
}
file { "${install_root}/keystore/":
ensure => directory,
require => File[$ins...
Service
Possibly the best handled in a rootless
environment
Can't use real init system.
Can use the binary,start,status,st...
service { 'icinga':
ensure => running,
provider => base,
enable => true,
hasstatus => true,
hasrestart => true,
start => "...
Rootless Module
Rootless Module
Module to provide types and facts to rootless persons
tarfile type
jdk type
facts for user, group, tempdir...
$tempname = regsubst($name, '/', '-', 'G')
file { "/var/tmp/${tempname}":
ensure => file,
content => $content,
}
exec { "c...
Puppet Module Rootless
GitHub GoGo!
https://github.com/UTIWorldwide/puppet-module-rootless
puppet module install utiworldw...
Puppet Master as nonroot
3 Plabs Software
Puppet
Hiera
Facter
Puppet Master as nonroot
Other Software
Apache
Passenger
Libyaml
Libapr
Two generations
First Generation
Installed everything to /opt
Apache + libapr separate
Ruby, yaml separate
Puppet, facter,...
Two generations
Problems with first gen
No central log location
No way to upgrade
Conf files akwardly all over the place
R...
Two generations
New generation
Everything rooted under a $HOME/local
BSD Ports style
Hiera, puppet, facter running from so...
Installation points
Use a bash function to expose the puppet command
puppet () {
. $FAKE_ROOT/bin/.ruby_setup.sh
$FAKE_ROO...
Installation points
Passenger 4 reads your .bashrc, check for tty before
getting fancy
if `tty -s`; then
if env | grep TMO...
Installation points
Set LD_LIBRARY_PATH and RUBYLIB at the last
possible second, in the puppet function or in
etc/init.d/h...
Installation points
Build passenger on an equivalent system and rsync it up,
its dependencies are many, and installing lib...
Installation points
Try to keep your env as similar to a rooted environment as
you can.
Tell lies to tell the truth.
Outro
Questions?
Spencer Krum
github.com/nibalizer
nibalizer on irc.freenode.net
Book from Apress
http://www.apress.com/97...
Upcoming SlideShare
Loading in...5
×

Puppet without Root - PuppetConf 2013

4,863

Published on

Puppet can be used effectively and at scale without running as root. In many organizations, particularly large ones, different teams are responsible for different pieces of the infrastructure. In my case, I am on a team responsible for installation, configuration, upkeep, and monitoring of an application, but we are denied root access. Despite this, we have a rich puppet infrastructure thats saves us time and reduces configuration drift. I will present our model for success in this kind of limited environment, including recipes for using puppet as non root and some encouraging words and ideas for those who want to implement puppet, but the rest of their organization isn't ready yet.

Spencer Krum
Systems Admin, UTI Worldwide
Spencer is a Linux and application administrator with UTI Worldwide, a shipping and logistics firm. He lives and works in Portland. He has been using Linux and Puppet for years. Spencer is co-authoring (with William Van Hevelingen and Ben Kero) the second edition of Pro Puppet by James Turnbull and Jeff McCune, which should be available from Apress in alpha/beta E-Book in time for Puppet Conf '13. He enjoys hacking, tennis, StarCraft, and Hawaiian food.

Published in: Technology, Spiritual
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,863
On Slideshare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
50
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Puppet without Root - PuppetConf 2013"

  1. 1. Puppet Without Root Spencer Krum UTi Worldwide Inc.
  2. 2. Books Pro Puppet 2nd Ed.* Beginning Puppet** *With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero **With William Van Hevelingen, and Ben Kero
  3. 3. Intro UTi History UTi Goals DevOps Role Limitations
  4. 4. Intro (cont.) Installing the Puppet client Running the Puppet Client Package, File, Service Rootless Module
  5. 5. Intro (cont.) Installing Puppet Master as nonroot Installing Apache as nonroot Installing Passenger as nonroot Upgrading Puppet as nonroot
  6. 6. UTi History
  7. 7. UTi Goals
  8. 8. DevOps Role
  9. 9. Limitations No Root Acess Each devopser has a user Sudo to the application user (appserv,webserv,swmgmt,tibco,fico) Application user has limited sudo access
  10. 10. Limitations (cont) Limited homedir space /opt/app LVM volume, big, but not massive (20G) Oracle Enterprise 5, not often updated Few development libraries
  11. 11. Installing the Puppet client Libyaml built from source, separate Ruby built from source, separate Puppet and facter from source, together All installed using a --prefix
  12. 12. Installing the Puppet client Puppet config in: /opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf Ruby/yaml located in /opt/app/tibco/opt/{ruby,yaml}
  13. 13. Installing the Puppet client Drop the whole thing in via a tarball. Massive sed -i on files.
  14. 14. Installing the Puppet client Each client is in an environment Conflate UTi environments and puppet environments Puppet vardir, libdir, ssldir all under opt No control over dns so set server = machinename
  15. 15. Running the Puppet Client Source a bash file to set RUBYLIB, LD_LIBRARY_PATH Run Puppet with --config argument to pick up the config file, forks to background @reboot cron to fire it up if the machine bounces
  16. 16. Multi User Sometimes we want to run a service as the fico user and a separate service as the tibco on the same machine
  17. 17. Certname Abuse Set certname = user-hostname in puppet.conf: fico-devbuild1.go2uti.com Two node definitions in site.pp now Both users have puppet installed under /opt/app/$USER/opt
  18. 18. Package, File, Service
  19. 19. Package Two basic methods: Wrap an untar command in a defined type Recursive file resource (Puppet Package Manger)
  20. 20. Package We use both
  21. 21. class uti_httpd::base { file { "${home_path}/httpd": ensure => directory, owner => $owner, group => $group, source => 'puppet:///modules/uti_httpd', recurse => remote } ... }
  22. 22. exec {"create-jdk-install-${install_root}": command => "/bin/tar xvzf ${tarball_directo cwd => $install_root, creates => "${install_root}/${jdk_create_di }
  23. 23. File File Type works strangely when not running as root $owner, $group problem Implementation around 'write' access.
  24. 24. File { owner => $owner, group => $group, }
  25. 25. file { $install_root: ensure => directory, } file { "${install_root}/keystore/": ensure => directory, require => File[$install_root] }
  26. 26. Service Possibly the best handled in a rootless environment Can't use real init system. Can use the binary,start,status,stop parameters to great effect I want to look at the path
  27. 27. service { 'icinga': ensure => running, provider => base, enable => true, hasstatus => true, hasrestart => true, start => "${home_path}/icinga/init/ici stop => "${home_path}/icinga/init/ici restart => "${home_path}/icinga/init/ici name => 'icinga' }
  28. 28. Rootless Module
  29. 29. Rootless Module Module to provide types and facts to rootless persons tarfile type jdk type facts for user, group, tempdir new file type for rootless environments
  30. 30. $tempname = regsubst($name, '/', '-', 'G') file { "/var/tmp/${tempname}": ensure => file, content => $content, } exec { "copy-in-${name}": command => "cat /var/tmp/${tempname} > ${name}", subscribe => File["/var/tmp/${tempname}"], notify => $notify, }
  31. 31. Puppet Module Rootless GitHub GoGo! https://github.com/UTIWorldwide/puppet-module-rootless puppet module install utiworldwide/rootless
  32. 32. Puppet Master as nonroot 3 Plabs Software Puppet Hiera Facter
  33. 33. Puppet Master as nonroot Other Software Apache Passenger Libyaml Libapr
  34. 34. Two generations First Generation Installed everything to /opt Apache + libapr separate Ruby, yaml separate Puppet, facter, hiera conjoined
  35. 35. Two generations Problems with first gen No central log location No way to upgrade Conf files akwardly all over the place Rack dir lived under puppet dir
  36. 36. Two generations New generation Everything rooted under a $HOME/local BSD Ports style Hiera, puppet, facter running from source 'init' scripts for everything in local/etc Logs all go to local/var
  37. 37. Installation points Use a bash function to expose the puppet command puppet () { . $FAKE_ROOT/bin/.ruby_setup.sh $FAKE_ROOT/opt/puppet/bin/puppet $@ --confdir=$FAKE_ROOT/etc/puppet }
  38. 38. Installation points Passenger 4 reads your .bashrc, check for tty before getting fancy if `tty -s`; then if env | grep TMOUT >/dev/null; then exec env -u TMOUT bash fi fi
  39. 39. Installation points Set LD_LIBRARY_PATH and RUBYLIB at the last possible second, in the puppet function or in etc/init.d/httpd
  40. 40. Installation points Build passenger on an equivalent system and rsync it up, its dependencies are many, and installing libcurl and openssl from source is hard.
  41. 41. Installation points Try to keep your env as similar to a rooted environment as you can. Tell lies to tell the truth.
  42. 42. Outro Questions? Spencer Krum github.com/nibalizer nibalizer on irc.freenode.net Book from Apress http://www.apress.com/9781430260400
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×