-
1.
Intro to Puppet
Making Administration Sexy
Larry Ludwig
Email: larry@brandorr.com
Twitter: @lludwig
Web: brandorr.com
-
2.
Image from http://community.uaf.edu/~cde/wiki/uploads/ITSFuturama05/sexy-bill2.png
-
3.
How many servers/VPS instances
do you currently manage?
-
4.
How many servers/VPS instances
do you currently manage?
• <25
-
5.
How many servers/VPS instances
do you currently manage?
• <25
• >25 & <100
-
6.
How many servers/VPS instances
do you currently manage?
• <25
• >25 & <100
• >100 & <250
-
7.
How many servers/VPS instances
do you currently manage?
• <25
• >25 & <100
• >100 & <250
• 250+
-
8.
The Evolution of
Administration
Image from http://www.wordinfo.info/words/images/evolution-man-computer.gif
-
9.
The Evolution of
Administration
Image from http://www.wordinfo.info/words/images/evolution-man-computer.gif
-
10.
From the Single Mainframe Computer
Image from http://tvtropes.org/pmwiki/pub/images/monolith.jpg
-
11.
To Today Many Virtual Servers
Image from http://www.code-muse.com/blog/wp-content/uploads/2007/11/df20021001.jpg
-
12.
What’s wrong with
Administration Today?
-
13.
What’s wrong with
Administration Today?
• Too many computers/services
-
14.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
-
15.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
-
16.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
• Mostly a manual process
-
17.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
• Mostly a manual process
• No feedback loop - (work and boss)
-
18.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
• Mostly a manual process
• No feedback loop - (work and boss)
• Best practices are not shared
-
19.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
• Mostly a manual process
• No feedback loop - (work and boss)
• Best practices are not shared
• Too much money lost when they fail
-
20.
What’s wrong with
Administration Today?
• Too many computers/services
• Too many different operating systems
• Not enough time
• Mostly a manual process
• No feedback loop - (work and boss)
• Best practices are not shared
• Too much money lost when they fail
-
21.
Not exactly modern
Image from http://flickr.com/photos/silverwood/593965547/
-
22.
In fact,
they kinda
suck
Image from http://flickr.com/photos/jefframone/1426716646/
-
23.
Sysadmin Programming
Language Progression
-
24.
Sysadmin Programming
Language Progression
• Assembly Language
-
25.
Sysadmin Programming
Language Progression
• Assembly Language
• High Level compiled languages (Cobol, C, C++)
-
26.
Sysadmin Programming
Language Progression
• Assembly Language
• High Level compiled languages (Cobol, C, C++)
• Shell Scripting (bash, awk, sed, grep, etc.)
-
27.
Sysadmin Programming
Language Progression
• Assembly Language
• High Level compiled languages (Cobol, C, C++)
• Shell Scripting (bash, awk, sed, grep, etc.)
• High Level Interpreted (Perl and Python)
-
28.
Sysadmin Programming
Language Progression
• Assembly Language
• High Level compiled languages (Cobol, C, C++)
• Shell Scripting (bash, awk, sed, grep, etc.)
• High Level Interpreted (Perl and Python)
• Administration Based Programming (CFEngine)
-
29.
What’s Wrong With
Existing Tools?
-
30.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
-
31.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
• Few if any built-in feedback loops
-
32.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
• Few if any built-in feedback loops
• Each tool is an independent
-
33.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
• Few if any built-in feedback loops
• Each tool is an independent
• All failures lead directly to human
intervention
-
34.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
• Few if any built-in feedback loops
• Each tool is an independent
• All failures lead directly to human
intervention
• No sharing of best practices and a manual
process prone to errors
-
35.
What’s Wrong With
Existing Tools?
• Monitoring is immature and requires far too
much effort
• Few if any built-in feedback loops
• Each tool is an independent
• All failures lead directly to human
intervention
• No sharing of best practices and a manual
process prone to errors
• Security policies via documentation files
-
36.
What is Puppet?
-
37.
What is Puppet?
• Puppet is a programming language that
automates system administration
-
38.
What is Puppet?
• Puppet is a programming language that
automates system administration
• It’s the glue between resources and
configuration files
-
39.
What is Puppet?
• Puppet is a programming language that
automates system administration
• It’s the glue between resources and
configuration files
• Allows for repeatable sysadmin best
practices
-
40.
Net Result
• Servers are configured exactly how you
specify
• Code once, deploy many
• Self documenting code
• Allow for repeatable built machines
• Allows for a constantly updated
infrastructure
-
41.
Puppet Features
-
42.
Puppet Features
• Open Source GPL license
-
43.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
-
44.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
-
45.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
-
46.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
-
47.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
• Platform independent (supports many *nixes)
-
48.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
• Platform independent (supports many *nixes)
• Relationships and execution order
-
49.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
• Platform independent (supports many *nixes)
• Relationships and execution order
• Can be used with servers and desktops
-
50.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
• Platform independent (supports many *nixes)
• Relationships and execution order
• Can be used with servers and desktops
• Recipes “make it so” - ensures correctness and
repeatable
-
51.
Puppet Features
• Open Source GPL license
• Developed in Ruby language
• Declarative language
• Resource abstraction
• client/server model - centralized management with
downloadable resources
• Platform independent (supports many *nixes)
• Relationships and execution order
• Can be used with servers and desktops
• Recipes “make it so” - ensures correctness and
repeatable
• Not only for installs but to maintain and upgrade
-
52.
O
SSH
-
53.
Net Effects
-
54.
Your Infrastructure is a
now a program
-
55.
10,000 ft Overview
-
56.
Centralized
Management
-
57.
Each host gets a
Resource Catalog
-
58.
The Configuration
Process
-
59.
The Configuration
Process
1. Retrieve resource catalog from central
server
-
60.
The Configuration
Process
1. Retrieve resource catalog from central
server
2. Determine resource order
-
61.
The Configuration
Process
1. Retrieve resource catalog from central
server
2. Determine resource order
3. Check each resource in turn, fixing if
necessary
-
62.
The Configuration
Process
1. Retrieve resource catalog from central
server
2. Determine resource order
3. Check each resource in turn, fixing if
necessary
4. Rinse and repeat, every 30 minutes
-
63.
Transactions (for each
resource)
-
64.
Transactions (for each
resource)
1. Retrieve current state (e.g., by querying dpkg
db or doing a stat)
-
65.
Transactions (for each
resource)
1. Retrieve current state (e.g., by querying dpkg
db or doing a stat)
2. Compare to desired state
-
66.
Transactions (for each
resource)
1. Retrieve current state (e.g., by querying dpkg
db or doing a stat)
2. Compare to desired state
3. Fix, if necessary (or just log)
-
67.
Configurations are
idempotent
-
68.
Configurations are
idempotent
-
69.
Idempotency allows
management through
the lifecycle
-
70.
Resource sorting is
done via dependencies
Otherwise known as a ‘Resource Graph’
-
71.
Abstraction
-
72.
Portable Resources
This:
-
73.
Portable Resources
This:
Becomes:
-
74.
Portable Resources
This:
Becomes:
-
75.
Portable Resources
This:
Becomes:
-
76.
Portable Resources
This:
Becomes:
-
77.
Portable Resources
This:
Becomes:
-
78.
What can you manage?
• 40+ resource types
• Users in NetInfo, useradd, pw and LDAP
• Support for Debian, Ubuntu, Red Hat,
Solaris, OS X, Gentoo, SuSE, FreeBSD,
AIX, HP-UX and more (currently not
Windows)
-
79.
Built In Types
• augeas • nagios_hostgroup
• computer • nagios_service
• cron • nagios_servicedependency
• exec • nagios_serviceescalation
• file • nagios_serviceextinfo
• filebucket • nagios_servicegroup
• group • nagios_timeperiod
• host • notify
• k5login • package
• macauthorization • resources
• mailalias • schedule
• maillist • selmodule
• mcx • service
• mount • ssh_authorized_key
• nagios_command • sshkey
• nagios_contact • tidy
• nagios_contactgroup • user
• nagios_host • yumrepo
• nagios_hostdependency • zfs
• nagios_hostescalation • zone
• nagios_hostextinfo • zpool
-
80.
Reuse
-
81.
Same concept, different
code
Debian
-
82.
Same concept, different
code
Debian
Red Hat
-
83.
Portability and Naming
-
84.
One solution per
problem
-
85.
Relationships
-
86.
Relationships matter
but are often implicit
-
87.
Relationships matter
but are often implicit
Package
-
88.
Relationships matter
but are often implicit
Configuration should get
Package modifed after package
installation
Configuration
-
89.
Relationships matter
but are often implicit
Configuration should get
Package modifed after package
installation
Service should restart
when
Configuration
configuration changes
Service
-
90.
Relationships matter
-
91.
Classes provide Intent
-
92.
Facter
-
93.
What is Facter?
-
94.
What is Facter?
• Collects and display facts about the
host
-
95.
What is Facter?
• Collects and display facts about the
host
• Integrated into puppet. Variables are
inserted into Puppet recipes
-
96.
What is Facter?
• Collects and display facts about the
host
• Integrated into puppet. Variables are
inserted into Puppet recipes
• Can create custom facts
-
97.
What is Facter?
• Collects and display facts about the
host
• Integrated into puppet. Variables are
inserted into Puppet recipes
• Can create custom facts
• Detects changes and updates variables
-
98.
Sample Output
-
99.
Configuration Files
-
100.
How to manage
configuration files?
-
101.
How to manage
configuration files?
• Direct File
-
102.
How to manage
configuration files?
• Direct File
• Inline Template (erb - ruby template language)
-
103.
How to manage
configuration files?
• Direct File
• Inline Template (erb - ruby template language)
• Augeas (new puppet type written by RedHat)
-
104.
File Template
source => [
“puppet:///nagios-nrpe/nrpe.${fqdn}.conf”,
“puppet:///nagios-nrpe/nrpe.${hostname}.conf”,
“puppet:///nagios-nrpe/nrpe.conf
],
-
105.
erb config files
content => $config_exim_setup ? {
"antispam”=> template("directadmin-exim/exim.antispam.conf.erb"),
"custom" => template("directadmin-exim/exim.${hostname}.conf.erb",
default => template("directadmin-exim/exim.default.conf.erb"),
},
exim.antispam.conf.erb
...
<% if config_da_clamd == "true" -%>
# enable clamav
av_scanner = clamd:/var/run/clamav/clamd.sock
<% end -%>
...
-
106.
Augeas
• New to Puppet (version 0.24.7)
• Currently supports RH/CentOS?
• Allows for line by line file editing
augeas{"jboss_conf":
context => "/files",
changes => [
"set /etc/jbossas/jbossas.conf/JBOSS_IP $ipaddress",
"set /etc/jbossas/jbossas.conf/JAVA_HOME /usr"
],
load_path => "$/usr/share/jbossas/lenses",
}
-
107.
Node Classification
-
108.
Puppet’s Internals
-
109.
Puppet scales like
HTTPS
-
110.
All communication is
via XMLRPC over
HTTPS
REST over HTTPS in 0.25.x
-
111.
Uses SSL, and provides
a Certificate Authority
-
112.
Logs go to syslog (by
default)
-
113.
Pros and Cons
-
114.
Pros
• Forever changes the way you think about
administration. Administration now follows a
development lifecycle
• Relationships
• Make a consistent configuration that always works
• External Node classification - (LDAP or external app)
• Good open source community
-
115.
Cons
• Weak with complex configuration files (Augeas
should help)
• Scalability issues out of box (uses webrick by
default)
• Documentation is slightly lacking and wiki needs
improvement
• Memory pig (especially with 64 bit OSes)
• Administration becomes system programming
• Test test test!
• Bad code, can have massive ripple effects
-
116.
The Competition
-
117.
Puppet vs. Capistrano
• Primarily used for app deployment lifecycle
(mostly RoR)
• On top of SSH
• No resource abstraction
• similar to existing scripting
-
118.
Puppet vs. Cfengine
• Closed sourced
• No resource abstraction
• No ordering
• No code reuse
• Cfengine 3 is a much needed improvement
-
119.
Puppet vs. Chef
• Puppet uses an external DSL while Chef is
Ruby based
• Imperative (since is Ruby language)
• Chef’s relationship ordering is top down
(order of code matters)
• No true dependency graph
-
120.
Resources
• http://puppet.reductivelabs.com/
• Source Code
• Recipes
• Wiki
• Documentation
• Bug Tracker
• http://groups.google.com/group/puppet-users
• “Pulling Strings with Puppet: Configuration Management Made
Easy” - James Turnbull
• ERB templates - http://www.ruby-doc.org/stdlib/libdoc/erb/rdoc/
-
121.
NYC Puppet Group
• http://groups.google.com/group/puppet-nyc
• If demand supports it - monthly
• A.D.D. Moment: Don’t forget about
marketing research question
-
122.
Questions?
-
123.
After NYLUG
TGI Fridays 8:30 PM
677 Lexington Avenue and 56th Street
Second floor, Northeast corner.
-
124.
Larry Ludwig
Available for Puppet consulting services and best
practices. In and out of the cloud
Larry Ludwig
Email: larry@brandorr.com
Twitter: @lludwig
Web: brandorr.com
admin 15 years, using puppet for almost 2 years.
Originally called &#x201C;What it is and how can it make system administration less painful&#x201D;
Conveys a better image and what immediately comes to mind is no other than:
This is not a sales pitch
I will ask a marketing some marketing research at the end
Like to know my audience
Like to know my audience
Like to know my audience
Like to know my audience
Stone Age
Modernize Administration like programming has in the past 20 years.
Mention my story
One server relative easy to manage
- one OS
- mostly custom developed applications, few commercial or OSS apps to maintain and upgrade
- monolith mainframe
Even worse, cloud based instances that only last a few hours
Like a blacksmith
no complex images
repeatable installations
Puppet make administration a process than a manual task
puppetd run as a daemon or cron
one puppetmaster
each server is called a node
* You can change the runinterval
* You can trigger runs through puppetrun, SIGUSR1, or puppetd --test
* You can change the runinterval
* You can trigger runs through puppetrun, SIGUSR1, or puppetd --test
* You can change the runinterval
* You can trigger runs through puppetrun, SIGUSR1, or puppetd --test
* You can change the runinterval
* You can trigger runs through puppetrun, SIGUSR1, or puppetd --test
Idempotency is what allows us to manage a machine through its whole lifecycle
term idempotent is used to describe methods or subroutine calls that can safely be called multiple times, as invoking the procedure a single time or multiple times results in the system maintaining the same state; i.e., after the method call all variables have the same value as they did before.
add/remove more resources as needed
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
resources
title
attributes
ensures correctness (self healing)
Can develop your own custom Types
We&#x2019;re doing the same thing with different commands on different platforms
resources
unique name for each resource
We&#x2019;ll come back to abstraction
This is shareable, releasable code.
Classes are analogous with tags
modules
OO
inherits
includes
external nodes ie (LDAP)
And you don&#x2019;t even need to centralize it.
* Every connection is encrypted, and the only connection that isn&#x2019;t authenticated is the one that asks for a signed cert
* Client certs
* Autosign, manual sign, manual certificate generation
* You don&#x2019;t even have to use it
use syslog-ng
development lifecycle
developed by one person, not active development, not client/server environment