Puppet, profile picture
Uploaded byPuppet
830 views

The Worst Code I Ever Wrote

The document discusses poor coding practices in Puppet, focusing on understanding functions, SSH key management, and looping techniques. It highlights the challenges of working with legacy code and the importance of creating reusable and maintainable code. The author shares personal experiences of code misuse, advocating for better practices and tools in Puppet programming.

Embed presentation

Download to read offline
The worst code I ever wrote (maybe) Tomas Doran @bobtfish tdoran@yelp.com 15/11/2013
Key lessons ! •‘Working’ != ‘done’ – I’m a terrible person – Working now doesn’t mean you can maintain it •Functions for reuse – and my horrible propensity for inline templating •exec {} abuse – Lets fit an entire shell script in the command => “…” •Looping – Hacks you have probably used. – Doing it sanely with puppet >= 3.2 tl;dl: This talk is about bad puppet code, and how and why to do it better. The worst code I ever wrote is a lie ;) We’re going to concentrate on 2 main topics - functions and looping, with a nod to exec abuse.
Managing ssh keys - gitolite ! • Legacy user management code –Old non-modular code –Have to fit in –Can’t change everything • Built in sshkey {} – Not suitable for our requirements We’re rapidly updating our puppet codebase, but the user management code is one of the most complex parts, so we wanted to be minimally invasive.. We needed to generate a very custom authorized keys files to integrate gitolite authentication into our current model.
sshkey resource The built in sshkey {} isn’t perfect for everyone. Most of the solutions on forge aren’t generic
http://forge.puppetlabs.com/hetzeneckerl/ssh_authorized_key These are the core issues. But this code didn’t work for me.
http://forge.puppetlabs.com/nightfly/ssh_keys ! • Legacy user management code ! –Old non-modular code –Have to fit in • Almost – But not quite suitable for our requirements Doing it myself as a concat {} seemed sane, especially given other people’s evidence..
Managing ssh keys - gitolite ! • Legacy user management code ! –Old non-modular code –Have to fit in –Can’t change everything • Built in sshkey {} – Not suitable for our requirements ! • Hack what we want with define So, we’re gonna use a bunch of defines and concat {}, easy?
Inputs and outputs ! gitolite::user { ‘tdoran’: key_source => $key_source; } – Add in current user management code – $keysource = puppet:///files/ users/tdoran/authorized_keys /etc/authorized_keys.d/git.pub – Use concat – Multiple gitolite instances! - API for creating a key we drop into our current user management path - Eventual generated file, from a concat {} resource - Note we can have multiple gitolite instances on one box, that makes everything much harder.
So how does it work? First, get an array of key lines, with names prepended $864
Split the key into an array $864 We split the file of keys into an array of lines. We remove comments, whitespace only lines etc We capture the entire key passed in.
Split the key into an array $864 We interpolate the username in front of that key, space separating them
Split the key into an array $864 End up with an array of strings which are username and key joined by a space We then abuse a define as a loop by calling it with the array of lines as $title
Prepend instance name ! Add user to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
Prepend instance name ! Add user to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
Prepend instance name ! Add user to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
Prepend instance name ! Add user to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
Prepend instance name ! Add user to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub This is gross We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
My original next code Stare in horror! $864 This was hideous. Whilst looping without define abuse is hard, there’s just no excuse for this.
Sins LOL?? Hideous abuse of define - one $name for each $key_lines $864 We then split the line back up.
Sins $864 Shift the user name off the array. Lol, who knew you could do that? Use the remaining data joined back up LOL?? Hideous abuse of variables
Sins Hideous abuse of interpolation LOL?? LOL?? $864 So, here, I have a double quoted string containing erb, and I’m then using double quote (not erb) interpolation.. Niiice.
Sins Hideous abuse of quoting EVERY TYPE OF QUOTES!!! LOL?? LOL?? LOL?? $864
Sins Hideous abuse of quoting $864 LOL?? LOL??
Sins Hideous abuse of bash LOL?? $864 ssh-keygen can’t be fed from stdin without disgusting trickery (modern bash specific)
Sins So complex I’m tempting the template! LOL?? $864 LOL?? And yes, it’s so complex I template the thing I’m interpolating into a template..
I am a bad person LOL? $864
I am a bad person LOL? $864
I am a bad person LOL? $864 Thankfully
I am a bad person LOL? $864 Someone stopped me ;)
Don’t abuse inline_template() ! • Please? – I’m a terrible person – Working now doesn’t mean you can maintain it • Functions for reuse – Full power of ruby – Composable – There should be more libraries of functions Do what I’m saying, not what I do :)
More sane Except each user can have multiple keys, and we want to prevent any key being reused by multiple users.
Issues with functions ! • What functions do I even have? – Hard to know what functions you have imported – stdlib, builtins, ….your $modulepath here… • What do these even do? – Often need to read the code to determine – Lots of functions packaged with modules - don’t do this! • Millions of twisty little functions, all alike • Millions of twisty little functions, all different – You know what this reminds me of?
Everyone’s favorite language If all you have is a hammer, everything looks like a nail
has a few functions Unfortunately, there are no consistent naming conventions
arguably And it’s hard to work out which function you actually want
a few too many.. The problem is, functions in a global namespace aren’t all that modular/composable. You can call functions from functions - but dependency hell
we’re almost half way through…. Shall I stop now? :) puppet problem is worse than this - what functions you have depends on what modules are in your codebase.
Get docs for project’s functions I wrote a thing to help with this - this will document _your_ functions for you. gist at end of talk.
gitolite group file generation ! • /etc/groups on system ! • gitolite groups have a different format: @admins = tdoran joebloggs! ! • Use exec {… add mess here … } This is another great example of what not to do.
exec {} abuse Syntax highlighting won’t save you now puny human! $864 This. DO NOT DO THIS. Please?
exec {} abuse Syntax highlighting won’t save you now puny human! $864
exec {} abuse Syntax highlighting won’t save you now puny human! $864
exec {} abuse Syntax highlighting won’t save you now puny human! $864 Arggh, the backslashes!
This madness actually worked LOL? $864
This madness actually worked LOL? ! •exec {} abuse – Lets fit an entire shell script in the 
 command => “…” – Don’t do it! :) – Drop a perl/python/ruby script (or two) instead, call them from the exec. $864 – Think about writing a type/provider – Lots of examples of parsedfile available
Which would you rather have to debug? $864
OR THIS!?! $864
Which one’s going to stay debugged? $864
OR THIS?!? $864
Looping sanely ! This would work fine. Need multiple instances :(
—parser future
—parser future $864
—parser future ! • Can’t do this at Yelp (yet) • Still using 2.7, because $864 variable scope
Hypocrisy avoidance ! ”There should be more libraries of functions” - Me, about 5m ago – https://github.com/bobtfish/puppetsshkey_utilities – https://github.com/bobtfish/puppet-better_file – https://gist.github.com/bobtfish/7403811 – Whole module to follow (eventually)
That’s all folks ! • Where was that code? – https://github.com/bobtfish/puppet-sshkey_utilities – https://github.com/bobtfish/puppet-better_file • Did you say you were hiring? – YES – Hamburg. – London. – San Francisco. • Questions?

More Related Content

ODP
Moose - YAPC::NA 2012
byxSawyer
 
KEY
Moose
byJohn Napiorkowski
 
ODP
Modern Perl
byMarcos Rebelo
 
ODP
Evolving Software with Moose
byDave Cross
 
PPTX
Non-Relational Databases
bykchodorow
 
PDF
Puppet Camp Paris 2015: Power of Puppet 4 (Beginner)
byPuppet
 
PDF
Ruby - Uma Introdução
byÍgor Bonadio
 
PDF
Good Evils In Perl
byKang-min Liu
 
Moose - YAPC::NA 2012
byxSawyer
 
Moose
byJohn Napiorkowski
 
Modern Perl
byMarcos Rebelo
 
Evolving Software with Moose
byDave Cross
 
Non-Relational Databases
bykchodorow
 
Puppet Camp Paris 2015: Power of Puppet 4 (Beginner)
byPuppet
 
Ruby - Uma Introdução
byÍgor Bonadio
 
Good Evils In Perl
byKang-min Liu
 

What's hot

KEY
Perl: Hate it for the Right Reasons
byMatt Follett
 
PDF
Rails workshop for Java people (September 2015)
byAndre Foeken
 
PDF
Nedap Rails Workshop
byAndre Foeken
 
ODP
NYPHP March 2009 Presentation
bybrian_dailey
 
TXT
Getfilestruct zbksh(1)
byBen Pope
 
ODP
Modern Perl
byDave Cross
 
PDF
Accelerated Native Mobile Development with the Ti gem
byWynn Netherland
 
PPT
Going crazy with Node.JS and CakePHP
byMariano Iglesias
 
PDF
DBIx::Class beginners
byleo lapworth
 
PPTX
Koajs as an alternative to Express - OdessaJs'16
byNikolay Kozhukharenko
 
PDF
Your JavaScript Library
byDmitry Baranovskiy
 
PDF
Introduction to CoffeeScript
byStalin Thangaraj
 
PDF
AnyMQ, Hippie, and the real-time web
byclkao
 
KEY
ISUCONアプリを Pythonで書いてみた
bymemememomo
 
PPSX
Symfony2 meets propel 1.5
byFrancois Zaninotto
 
PDF
WordPress London 16 May 2012 - You don’t know query
byl3rady
 
PDF
DBIx::Class introduction - 2010
byleo lapworth
 
PPT
Dealing with Legacy Perl Code - Peter Scott
byO'Reilly Media
 
PDF
Symfony 2.0 on PHP 5.3
byFabien Potencier
 
Perl: Hate it for the Right Reasons
byMatt Follett
 
Rails workshop for Java people (September 2015)
byAndre Foeken
 
Nedap Rails Workshop
byAndre Foeken
 
NYPHP March 2009 Presentation
bybrian_dailey
 
Getfilestruct zbksh(1)
byBen Pope
 
Modern Perl
byDave Cross
 
Accelerated Native Mobile Development with the Ti gem
byWynn Netherland
 
Going crazy with Node.JS and CakePHP
byMariano Iglesias
 
DBIx::Class beginners
byleo lapworth
 
Koajs as an alternative to Express - OdessaJs'16
byNikolay Kozhukharenko
 
Your JavaScript Library
byDmitry Baranovskiy
 
Introduction to CoffeeScript
byStalin Thangaraj
 
AnyMQ, Hippie, and the real-time web
byclkao
 
ISUCONアプリを Pythonで書いてみた
bymemememomo
 
Symfony2 meets propel 1.5
byFrancois Zaninotto
 
WordPress London 16 May 2012 - You don’t know query
byl3rady
 
DBIx::Class introduction - 2010
byleo lapworth
 
Dealing with Legacy Perl Code - Peter Scott
byO'Reilly Media
 
Symfony 2.0 on PHP 5.3
byFabien Potencier
 

Similar to The Worst Code I Ever Wrote

PDF
Using Puppet on Linux, Windows, and Mac OSX
byPuppet
 
PDF
Puppet modules: A Holistic Approach - Geneva
byAlessandro Franceschi
 
PDF
Love The Terminal
byMike West
 
KEY
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
PDF
Puppet modules: An Holistic Approach
byAlessandro Franceschi
 
PDF
Puppet Modules: An Holistic Approach - Alessandro Franceschi of Lab42 - Puppe...
byPuppet
 
PDF
What we Learned Implementing Puppet at Backstop
byPuppet
 
PDF
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
PDF
Replacing "exec" with a type and provider: Return manifests to a declarative ...
byPuppet
 
PDF
Replacing "exec" with a type and provider
byDominic Cleal
 
PDF
Computer Security
byAristotelis Kotsomitopoulos
 
PDF
Can you upgrade to Puppet 4.x?
byMartin Alfke
 
PDF
Absolute Beginners Guide to Puppet Through Types - PuppetConf 2014
byPuppet
 
PDF
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
PPT
Dance for the puppet master: G6 Tech Talk
byMichael Peacock
 
PDF
Writing and Publishing Puppet Modules - PuppetConf 2014
byPuppet
 
PDF
Puppet managed loadays
byloadays
 
PPTX
Tranning-2
byAli Hussain
 
PDF
BRISK_Network_Pentest_
byBriskInfosec Solutions
 
PDF
One-Liners to Rule Them All
byegypt
 
Using Puppet on Linux, Windows, and Mac OSX
byPuppet
 
Puppet modules: A Holistic Approach - Geneva
byAlessandro Franceschi
 
Love The Terminal
byMike West
 
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
Puppet modules: An Holistic Approach
byAlessandro Franceschi
 
Puppet Modules: An Holistic Approach - Alessandro Franceschi of Lab42 - Puppe...
byPuppet
 
What we Learned Implementing Puppet at Backstop
byPuppet
 
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
Replacing "exec" with a type and provider: Return manifests to a declarative ...
byPuppet
 
Replacing "exec" with a type and provider
byDominic Cleal
 
Computer Security
byAristotelis Kotsomitopoulos
 
Can you upgrade to Puppet 4.x?
byMartin Alfke
 
Absolute Beginners Guide to Puppet Through Types - PuppetConf 2014
byPuppet
 
Dssh @ Confidence, Prague 2010
byJuraj Bednar
 
Dance for the puppet master: G6 Tech Talk
byMichael Peacock
 
Writing and Publishing Puppet Modules - PuppetConf 2014
byPuppet
 
Puppet managed loadays
byloadays
 
Tranning-2
byAli Hussain
 
BRISK_Network_Pentest_
byBriskInfosec Solutions
 
One-Liners to Rule Them All
byegypt
 

More from Puppet

PPTX
Puppet Community Day: Planning the Future Together
byPuppet
 
PPTX
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
PPTX
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
PPTX
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
PPTX
Customizing Reporting with the Puppet Report Processor
byPuppet
 
PPTX
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
PPTX
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
PPTX
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
PDF
Puppet camp2021 testing modules and controlrepo
byPuppet
 
PPTX
Puppetcamp r10kyaml
byPuppet
 
PDF
2021 04-15 operational verification (with notes)
byPuppet
 
PPTX
Puppet camp vscode
byPuppet
 
PDF
Modules of the twenties
byPuppet
 
PDF
Applying Roles and Profiles method to compliance code
byPuppet
 
PPTX
KGI compliance as-code approach
byPuppet
 
PDF
Enforce compliance policy with model-driven automation
byPuppet
 
PDF
Keynote: Puppet camp compliance
byPuppet
 
PPTX
Automating it management with Puppet + ServiceNow
byPuppet
 
PPTX
Puppet: The best way to harden Windows
byPuppet
 
PPTX
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 
Puppet Community Day: Planning the Future Together
byPuppet
 
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
Customizing Reporting with the Puppet Report Processor
byPuppet
 
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
Puppet camp2021 testing modules and controlrepo
byPuppet
 
Puppetcamp r10kyaml
byPuppet
 
2021 04-15 operational verification (with notes)
byPuppet
 
Puppet camp vscode
byPuppet
 
Modules of the twenties
byPuppet
 
Applying Roles and Profiles method to compliance code
byPuppet
 
KGI compliance as-code approach
byPuppet
 
Enforce compliance policy with model-driven automation
byPuppet
 
Keynote: Puppet camp compliance
byPuppet
 
Automating it management with Puppet + ServiceNow
byPuppet
 
Puppet: The best way to harden Windows
byPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
Lab 1.3 Introduction to GCP Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Machine Learning Primer: The Complete Crash Course (From Theory to Deployment)
byAeafat Ahmed Mubin
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Smart Buildings 2025 Wrapped! The Rise of Outcomes-as-a-Service
byMemoori
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Lab 1.2 Introduction to Azure Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
API-First Architecture in Financial Systems
bycyy111112
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
Lab 1.3 Introduction to GCP Automation - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 4.2 Multi-cloud Deployments - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

The Worst Code I Ever Wrote

  • 2.
    The worst codeI ever wrote (maybe) Tomas Doran @bobtfish tdoran@yelp.com 15/11/2013
  • 3.
    Key lessons ! •‘Working’ !=‘done’ – I’m a terrible person – Working now doesn’t mean you can maintain it •Functions for reuse – and my horrible propensity for inline templating •exec {} abuse – Lets fit an entire shell script in the command => “…” •Looping – Hacks you have probably used. – Doing it sanely with puppet >= 3.2 tl;dl: This talk is about bad puppet code, and how and why to do it better. The worst code I ever wrote is a lie ;) We’re going to concentrate on 2 main topics - functions and looping, with a nod to exec abuse.
  • 4.
    Managing ssh keys- gitolite ! • Legacy user management code –Old non-modular code –Have to fit in –Can’t change everything • Built in sshkey {} – Not suitable for our requirements We’re rapidly updating our puppet codebase, but the user management code is one of the most complex parts, so we wanted to be minimally invasive.. We needed to generate a very custom authorized keys files to integrate gitolite authentication into our current model.
  • 5.
    sshkey resource The builtin sshkey {} isn’t perfect for everyone. Most of the solutions on forge aren’t generic
  • 6.
    http://forge.puppetlabs.com/hetzeneckerl/ssh_authorized_key These are thecore issues. But this code didn’t work for me.
  • 7.
    http://forge.puppetlabs.com/nightfly/ssh_keys ! • Legacy usermanagement code ! –Old non-modular code –Have to fit in • Almost – But not quite suitable for our requirements Doing it myself as a concat {} seemed sane, especially given other people’s evidence..
  • 8.
    Managing ssh keys- gitolite ! • Legacy user management code ! –Old non-modular code –Have to fit in –Can’t change everything • Built in sshkey {} – Not suitable for our requirements ! • Hack what we want with define So, we’re gonna use a bunch of defines and concat {}, easy?
  • 9.
    Inputs and outputs ! gitolite::user{ ‘tdoran’: key_source => $key_source; } – Add in current user management code – $keysource = puppet:///files/ users/tdoran/authorized_keys /etc/authorized_keys.d/git.pub – Use concat – Multiple gitolite instances! - API for creating a key we drop into our current user management path - Eventual generated file, from a concat {} resource - Note we can have multiple gitolite instances on one box, that makes everything much harder.
  • 10.
    So how doesit work? First, get an array of key lines, with names prepended $864
  • 11.
    Split the keyinto an array $864 We split the file of keys into an array of lines. We remove comments, whitespace only lines etc We capture the entire key passed in.
  • 12.
    Split the keyinto an array $864 We interpolate the username in front of that key, space separating them
  • 13.
    Split the keyinto an array $864 End up with an array of strings which are username and key joined by a space We then abuse a define as a loop by calling it with the array of lines as $title
  • 14.
    Prepend instance name ! Adduser to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
  • 15.
    Prepend instance name ! Adduser to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
  • 16.
    Prepend instance name ! Adduser to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
  • 17.
    Prepend instance name ! Adduser to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
  • 18.
    Prepend instance name ! Adduser to every instance – [“${username} ${restofkey}”] – [“${instance} “] – [“${instance} ${username} ${restofkey}”] – Use this as $name in a define to iterate – ssh/authorized_keys.d/${instance}.pub This is gross We then have an array of instances, and an array of users/keys. Our array_prefix function makes the product of both lists. Complexity due to iterating over two lists $key_lines and $instances
  • 19.
    My original nextcode Stare in horror! $864 This was hideous. Whilst looping without define abuse is hard, there’s just no excuse for this.
  • 20.
    Sins LOL?? Hideous abuse ofdefine - one $name for each $key_lines $864 We then split the line back up.
  • 21.
    Sins $864 Shift the username off the array. Lol, who knew you could do that? Use the remaining data joined back up LOL?? Hideous abuse of variables
  • 22.
    Sins Hideous abuse ofinterpolation LOL?? LOL?? $864 So, here, I have a double quoted string containing erb, and I’m then using double quote (not erb) interpolation.. Niiice.
  • 23.
    Sins Hideous abuse ofquoting EVERY TYPE OF QUOTES!!! LOL?? LOL?? LOL?? $864
  • 24.
    Sins Hideous abuse ofquoting $864 LOL?? LOL??
  • 25.
    Sins Hideous abuse ofbash LOL?? $864 ssh-keygen can’t be fed from stdin without disgusting trickery (modern bash specific)
  • 26.
    Sins So complex I’mtempting the template! LOL?? $864 LOL?? And yes, it’s so complex I template the thing I’m interpolating into a template..
  • 27.
    I am abad person LOL? $864
  • 28.
    I am abad person LOL? $864
  • 29.
    I am abad person LOL? $864 Thankfully
  • 30.
    I am abad person LOL? $864 Someone stopped me ;)
  • 31.
    Don’t abuse inline_template() ! •Please? – I’m a terrible person – Working now doesn’t mean you can maintain it • Functions for reuse – Full power of ruby – Composable – There should be more libraries of functions Do what I’m saying, not what I do :)
  • 32.
    More sane Except eachuser can have multiple keys, and we want to prevent any key being reused by multiple users.
  • 33.
    Issues with functions ! •What functions do I even have? – Hard to know what functions you have imported – stdlib, builtins, ….your $modulepath here… • What do these even do? – Often need to read the code to determine – Lots of functions packaged with modules - don’t do this! • Millions of twisty little functions, all alike • Millions of twisty little functions, all different – You know what this reminds me of?
  • 34.
    Everyone’s favorite language Ifall you have is a hammer, everything looks like a nail
  • 35.
    has a fewfunctions Unfortunately, there are no consistent naming conventions
  • 36.
    arguably And it’s hardto work out which function you actually want
  • 37.
    a few toomany.. The problem is, functions in a global namespace aren’t all that modular/composable. You can call functions from functions - but dependency hell
  • 38.
    we’re almost halfway through…. Shall I stop now? :) puppet problem is worse than this - what functions you have depends on what modules are in your codebase.
  • 39.
    Get docs forproject’s functions I wrote a thing to help with this - this will document _your_ functions for you. gist at end of talk.
  • 40.
    gitolite group filegeneration ! • /etc/groups on system ! • gitolite groups have a different format: @admins = tdoran joebloggs! ! • Use exec {… add mess here … } This is another great example of what not to do.
  • 41.
    exec {} abuse Syntaxhighlighting won’t save you now puny human! $864 This. DO NOT DO THIS. Please?
  • 42.
    exec {} abuse Syntaxhighlighting won’t save you now puny human! $864
  • 43.
    exec {} abuse Syntaxhighlighting won’t save you now puny human! $864
  • 44.
    exec {} abuse Syntaxhighlighting won’t save you now puny human! $864 Arggh, the backslashes!
  • 45.
    This madness actuallyworked LOL? $864
  • 46.
    This madness actuallyworked LOL? ! •exec {} abuse – Lets fit an entire shell script in the 
 command => “…” – Don’t do it! :) – Drop a perl/python/ruby script (or two) instead, call them from the exec. $864 – Think about writing a type/provider – Lots of examples of parsedfile available
  • 47.
    Which would yourather have to debug? $864
  • 48.
  • 49.
    Which one’s goingto stay debugged? $864
  • 50.
  • 51.
    Looping sanely ! This wouldwork fine. Need multiple instances :(
  • 52.
  • 53.
  • 54.
    —parser future ! • Can’tdo this at Yelp (yet) • Still using 2.7, because $864 variable scope
  • 55.
    Hypocrisy avoidance ! ”There shouldbe more libraries of functions” - Me, about 5m ago – https://github.com/bobtfish/puppetsshkey_utilities – https://github.com/bobtfish/puppet-better_file – https://gist.github.com/bobtfish/7403811 – Whole module to follow (eventually)
  • 56.
    That’s all folks ! •Where was that code? – https://github.com/bobtfish/puppet-sshkey_utilities – https://github.com/bobtfish/puppet-better_file • Did you say you were hiring? – YES – Hamburg. – London. – San Francisco. • Questions?