The document presents a deep dive into configuration management using Puppet, detailing an example manifest for managing a web server and instances in a cloud environment. It covers key topics such as infrastructure as code, autosigning scripts, and building images, while introducing various Puppet modules for managing resources. Additionally, it touches on the fundamentals of instance provisioning and management with tools like Razor, and provides links to further resources and modules for enhanced functionality.

1. Presented by
OpenNebula
and
Puppet
David Lutterkort
Puppet Labs
@lutterkort
lutter@puppetlabs.com

4. Any
input
to
infrastructure
is
Presented by
configura)on

5. Configura3on
management:
managing
those
inputs
Presented by
over
)me
at
scale

6. Configura3on
management:
managing
those
inputs
Presented by
over
)me
at
scale

7. Configura3on
management:
managing
those
inputs
Presented by
over
3me
at
scale

8. Presented by
Puppet’s circle of change

9. Presented by
A basic manifest
class webserver {
package { 'httpd':
ensure => latest
} ->
file { '/etc/httpd/conf.d/local.conf':
ensure => file,
mode => 644,
source => 'puppet:///modules/httpd/local.conf',
} ->
service { 'httpd':
ensure => running,
enable => true,
subscribe => File['/etc/httpd/conf.d/local.conf'],
}
}

10. Presented by
Override via inheritance
class webserver2 inherits webserver {
File['/etc/httpd/conf.d/local.conf'] {
source => 'puppet:///modules/httpd/other-local.conf',
}
}

11. Presented by
The site-wide manifest
node host1.example.com {
class { 'webserver': }
}
node host2.example.com {
class { 'webserver2': }
}
node host3.example.com {
class {'mongodb::server':
port => 27018
}
}

12. Presented by
Infrastructure
as
Code

13. Presented by
http://www.partialhospitalization.com/2010/08/363/

14. Presented by

15. Presented by
Managing cloud resources

16. puppetlabs/puppetlabs-aws

17. Presented by
Instance management
ec2_instance { 'name-of-instance':
ensure => present,
region => 'us-east-1',
availability_zone => 'us-east-1a',
image_id => ‘ami-ttylinux',
instance_type => 't1.micro',
monitoring => true,
key_name => 'name-of-existing-key',
security_groups => ['group1', 'group2'],
user_data => template('module/user-data.erb')
}

18. Presented by
Managing instance content

19. Presented by
Dataflow in Puppet

20. Presented by
Certificate signing

21. Presented by
Certificate signing

22. Presented by
Certificate signing

23. Presented by
Certificate signing

24. Presented by
Certificate signing
Who
checks
?

25. Presented by
Node creation

26. Presented by
Node creation

27. Presented by

28. Presented by

29. Presented by

30. Presented by

31. Presented by
Autosign
script

32. Certsigner setup
Master
• Write autosigning script
• Configure autosigning script
Nodes
• Put secrets into /etc/puppet/csr_attributes.yaml
ONE Client
• Pass secret through Userdata
Presented by

33. Presented by
CSR Extension Requests
UUID pp_uuid
Instance ID pp_instance_id
Image Name pp_image_name
Preshared Key pp_preshared_key
Role pp_role (still to come)
Private Private, site-specific attributes

34. Presented by
Building images

35. Presented by
Building images
• invent ‘fake’ hostnames
<image-name>.images.example.com
• use Puppet at instance launch to ‘personalize’ image

36. Presented by
Masterless: puppet apply
# yum -y install puppet
# git clone https://git.example.org/manifests
# export FACTER_hostname=img1.images.example.com
# puppet apply --modulepath manifests/modules/
manifests/site.pp
# rm -rf manifests/

37. Presented by
Masterless: puppet apply
• easy to set up
• leaves no trace on the Puppet master
• no PuppetDB
• no Node Classifier

38. With master: puppet agent
• those pesky SSL certificates again
Presented by
• pregenerate and copy into builder
• certsigner + allow_duplicate_certs on master
• uses full master infrastructure

39. Managing ONE infrastructure
Presented by

40. epost-dev/opennebula-puppet-module

41. Presented by
ONE Puppet Module
one Install ONE Master/Sunstone
onehost Create ONE Host
oneimage Create ONE Image
onetemplate Create ONE template
onevnet Create ONE net

42. Provisioning hosts with Razor
Presented by

43. Presented by
Razor in a nutshell
• iPXE
• Node Discovery
• Stay focussed

44. Presented by
How it works
Microkernel sends facts

45. Presented by
How it works
Match Tags

46. Presented by
How it works
Find Policy

47. Presented by
How it works
Basic OS installed
Managed by Puppet

48. Presented by
Moving pieces
Repo What to install ISO contents
Task How to install Installer scripts
Broker How to manage PE agent install
Tag Where to install Named match rule
Policy Combine it all Ordered table

49. Presented by
Summary
• Puppet forge for module sharing
• puppetlabs-aws module
• mrzarquon’s certsigner
• epost-dev’s opennebula-puppet-module
• Razor for flexible provisioning of hardware

50. Presented by
Questions ?

51. Presented by
Links
• http://forge.puppetlabs.com
• puppetlabs/puppetlabs-aws module
• https://github.com/ahpook/mrzarquon-certsigner/tree/
eric0_wip
• http://watzmann.net/blog/2014/06/puppet-autosign-policy.
html

52. Links (cont’d)
• https://github.com/epost-dev/opennebula-puppet-module
Presented by
• https://github.com/puppetlabs/razor-server
• Puppet Enterprise:
http://puppetlabs.com/puppet/puppet-enterprise