Bootstrapping Puppet and Application Deployment - PuppetConf 2013

Bootstrapping
Puppet
&

Applica3on
Deployment

PuppetConf
‘13

August
22,
2013

Presented by:
Robert de Macedo Soares
Application Security Engineer
Business Wire
robert.soares@businesswire.com
@argher
#puppetconf

Purpose
of
Puppet

•  What
problems
are
we
trying
to
solve?

•  RemediaBon
or
improvement?

•  Are
our
exisBng
servers
a
mess?

•  What
are
our
plaDorms?

Scenario
–
Best
Case

•  Servers
are
new

•  Servers
are
uniform

•  No
ﬁxes
needed

•  Everyone
on
the
same
page

•  One
operaBng
system

Idealis)c

Scenario
-‐
Reality

•  No
baseline
configuraBon

•  Inconsistent
management
pracBces

•  Many
fixes
required

•  Teams
have
differing
requirements

•  MulBple
operaBng
systems

Realis)c

Divergent
Needs

Developers

•  Need
deployment
soluBon

•  Idempotence

System
Administrators

•  System
ConﬁguraBon

•  Password
&
User
Management

Divergent
Needs
(cont.)

Security
&
Management

•  Host-‐based
ﬁrewall
management

•  Auditability

•  Compliance

•  ReporBng

Divergent
Opera3ng
Systems

•  Linux

– Diﬀerent
DistribuBons
(RedHat,
Debian,
etc.)

•  Windows

– Diﬀerent
GeneraBons

•  UNIX

– Solaris?
HP-‐UX?

Decision
Time

•  Right
tool
for
the
job

– Puppet
Enterprise
vs.
Open
Source

•  Test
before
comming

•  Older
or
uncommon
operaBng
systems?

– Puppet
Enterprise
simpliﬁes
deployment

•  <=10
servers?

– Puppet
Enterprise
is
free
for
10
servers

Open
Source
–
Why?

•  Free

•  Valuable
user
community

•  Foreman

– Complex
but
powerful

•  Free

Puppet
Enterprise
–
Why?

•  Integrated
Dashboard

– Auditability
/
ReporBng

– Server
status
at
a
glance

– MCollecBve
integraBon
(Live
Management)

•  Prebuilt
Solaris
and
Linux
packages

•  Support!

– DownBme
more
expensive
than
licenses

Infrastructure
Deployment

•  What’s
our
architecture?

– How
many
Bers?

– How
many
Puppet
masters?

– ReplicaBon?

•  AutomaBon
tool

Suggested
Architecture

•  Master
per
Ber

•  ReplicaBon
in
producBon

– Nice
to
have

•  Lab
master
and
clients
for
experimentaBon

– Cover
your
OS
types

•  Source
control
for
manifests

Tiered
Infrastructure

•  Two
Bers
minimum

– Dev

– ProducBon

•  More
Bers
beneﬁcial

– Test
/
QA
Ber
exposes
problems
before
prod

Introduc3on
to
Automa3on

•  What
is
an
automaBon
tool?

•  Why
use
one?

•  Which
tool
is
best?

– Fabric,
Capistrano,
etc.

Example:
Fabric

•  __init__.py

import
fab_puppet_deploy

•  Fab_puppet_deploy.py

– Remember
to
set
env.hosts

from
fabric.api
import
*

@task(default=True)

def
deploy_puppet(Ber=“dev”,uninstall=False):

Automa3ng
the
Install

•  Proper
tools
invaluable

– Fabric,
Capistrano,
etc.

•  Use
answers
ﬁles

•  Expect
unexpected
problems

– No
sudo?

Automa3ng
the
Install
(cont.)

•  Example
answers
ﬁle

q_fail_on_unsuccessful_master_lookup=y

q_install=y

q_puppet_cloud_install=n

q_puppet_enterpriseconsole_install=n

q_puppet_symlinks_install=y

q_puppetagent_install=y

q_puppetagent_server=puppet.dev.example.com

q_puppetca_install=n

q_puppetmaster_install=n

q_vendor_packages_install=n

Overview

•  Source
control
integraBon

•  BASH
scripts
–
easy
and
powerful

•  Leverage
rake
API

Early Approach

•  Deploy
task
ﬁle

– Text,
lists
packages
to
deploy
and
tagged
version

•  Update
Puppet
groups

– BASH,
rake
commands
to
alter
classes
/
groups

•  Update
nodes
in
(Ber)

– BASH,
rake
commands
to
alter
node
membership

Source
Control
Workflow

•  Update
module
-‐>
new
tag

– Don’t
deploy
from
trunk!

•  Update
deploy
task
file

•  Check
out
deploy
task
file

– svn
co
hop://repo.example.com/puppet/deployfile

•  Helper
script

– Deploys
new
modules
over
old

Introduc3on
to
Rake

•  Build
tool

– Similar
to
make
and
Ant

•  Rakeﬁles
are
Makeﬁles

– Standard
Ruby
syntax

•  Can
create
mulB-‐or-‐single-‐use
tasks

– Namespace:task

Rake
Tips

•  Read
API
documentaBon

–  hop://docs.puppetlabs.com/pe/latest/console_rake_api.html

•  Rake
command
preﬁx

–  rake
-‐f
/opt/puppet/share/puppet-‐dashboard/
Rakeﬁle

•  Set
RAILS_ENV
to
producBon

– ~/.bashrc
or
in
script

Update
Puppet
Groups

#
Env
to
run
Ruby
in

export
RAILS_ENV=producBon

#
Create
Classes

rake
-‐f
/opt/puppet/share/puppet-‐dashboard/Rakeﬁle

nodeclass:add
name=users::permissions

rake
-‐f

nodeclass:add
name=packages::provisioner

Update
Puppet
Groups
(cont.)

#
Create
Groups

rake
-‐f

nodegroup:add
name=provisioner

#
Assign
Classes
to
Groups

rake
-‐f

nodegroup:addclass
name=provisioner
class=users::permissions

rake
-‐f

nodegroup:addclass
name=provisioner

class=packages::provisioner

Update
Nodes

#
Env
to
run
Ruby
in

export
RAILS_ENV=producBon

#
Assign
nodes
to
groups

rake
-‐f

node:groups
name=pro1.example.com

groups=default,provisioner

rake
-‐f

node:groups
name=pro2.example.com

groups=default,provisioner,extragroup

Rough
Spots

•  Group
list
must
be
*complete*

– Rake
will
recreate
the
group
list
for
a
node

– No
incremental
addiBon
possible

•  Directory
ownership

– peadmin
/
puppet-‐dashboard
or
custom
user

•  Rake
API
can
be
improved

– Nested
groups
only
Puppet
Enterprise
3.0+

Rough
Spots
(cont.)

•  Access
Control

– No
way
to
limit
individual
commands

•  TargeBng

– Custom
facts
and
hiera
recommended

Next
Steps

• Easy
tasks
ﬁrst

• Etc_facts
plugin

• Hiera
is
useful

• Package
repository

Thanks
for
joining!

Bootstrapping Puppet and Application Deployment - PuppetConf 2013

More Related Content

What's hot

Similar to Bootstrapping Puppet and Application Deployment - PuppetConf 2013

More from Puppet

Recently uploaded

Bootstrapping Puppet and Application Deployment - PuppetConf 2013