Puppet without Root - PuppetConf 2013

Post on 08-May-2015

4,703 views 0 download

Preview:

Click to see full reader
Report this document
SHARE

description

Puppet can be used effectively and at scale without running as root. In many organizations, particularly large ones, different teams are responsible for different pieces of the infrastructure. In my case, I am on a team responsible for installation, configuration, upkeep, and monitoring of an application, but we are denied root access. Despite this, we have a rich puppet infrastructure thats saves us time and reduces configuration drift. I will present our model for success in this kind of limited environment, including recipes for using puppet as non root and some encouraging words and ideas for those who want to implement puppet, but the rest of their organization isn't ready yet. Spencer Krum Systems Admin, UTI Worldwide Spencer is a Linux and application administrator with UTI Worldwide, a shipping and logistics firm. He lives and works in Portland. He has been using Linux and Puppet for years. Spencer is co-authoring (with William Van Hevelingen and Ben Kero) the second edition of Pro Puppet by James Turnbull and Jeff McCune, which should be available from Apress in alpha/beta E-Book in time for Puppet Conf '13. He enjoys hacking, tennis, StarCraft, and Hawaiian food.

transcript

Puppet Without RootSpencer Krum

UTi Worldwide Inc.

Books

Pro Puppet 2nd Ed.*

Beginning Puppet**

*With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero

**With William Van Hevelingen, and Ben Kero

IntroUTi History

UTi Goals

DevOps Role

Limitations

Intro (cont.)Installing the Puppet client

Running the Puppet Client

Package, File, Service

Rootless Module

Intro (cont.)Installing Puppet Master as nonroot

Installing Apache as nonroot

Installing Passenger as nonroot

Upgrading Puppet as nonroot

UTi History

UTi Goals

DevOps Role

LimitationsNo Root Acess

Each devopser has a user

Sudo to the application user(appserv,webserv,swmgmt,tibco,fico)

Application user has limited sudo access

Limitations (cont)

Limited homedir space

/opt/app LVM volume, big, but not massive (20G)

Oracle Enterprise 5, not often updated

Few development libraries

Installing the Puppet clientLibyaml built from source, separate

Ruby built from source, separate

Puppet and facter from source, together

All installed using a --prefix

Installing the Puppet clientPuppet config in:

/opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf

Ruby/yaml located in

/opt/app/tibco/opt/{ruby,yaml}

Installing the Puppet clientDrop the whole thing in via a tarball.

Massive sed -i on files.

Installing the Puppet clientEach client is in an environment

Conflate UTi environments and puppetenvironments

Puppet vardir, libdir, ssldir all under opt

No control over dns so set server = machinename

Running the Puppet ClientSource a bash file to set RUBYLIB,LD_LIBRARY_PATH

Run Puppet with --config argument to pick up theconfig file, forks to background

@reboot cron to fire it up if the machine bounces

Multi UserSometimes we want to run a service as the ficouser and a separate service as the tibco on thesame machine

Certname AbuseSet certname = user-hostname in puppet.conf:fico-devbuild1.go2uti.comTwo node definitions in site.pp now

Both users have puppet installed under

/opt/app/$USER/opt

Package, File, Service

PackageTwo basic methods:

Wrap an untar command in a defined type

Recursive file resource (Puppet Package Manger)

PackageWe use both

class uti_httpd::base { file { "${home_path}/httpd": ensure => directory, owner => $owner, group => $group, source => 'puppet:///modules/uti_httpd', recurse => remote } ...}

exec {"create-jdk-install-${install_root}": command => "/bin/tar xvzf ${tarball_directory}/${jdk_name}", cwd => $install_root, creates => "${install_root}/${jdk_create_dir}",}

FileFile Type works strangely when not running asroot

$owner, $group problem

Implementation around 'write' access.

File { owner => $owner, group => $group,}

file { $install_root: ensure => directory,}file { "${install_root}/keystore/": ensure => directory, require => File[$install_root]}

ServicePossibly the best handled in a rootlessenvironment

Can't use real init system.

Can use the binary,start,status,stop parameters togreat effect

I want to look at the path

service { 'icinga': ensure => running, provider => base, enable => true, hasstatus => true, hasrestart => true, start => "${home_path}/icinga/init/icinga-init start", stop => "${home_path}/icinga/init/icinga-init stop", restart => "${home_path}/icinga/init/icinga-init restart", name => 'icinga'}

Rootless Module

Rootless ModuleModule to provide types and facts to rootless persons

tarfile type

jdk type

facts for user, group, tempdir

new file type for rootless environments

$tempname = regsubst($name, '/', '-', 'G')file { "/var/tmp/${tempname}": ensure => file, content => $content,}exec { "copy-in-${name}": command => "cat /var/tmp/${tempname} > ${name}", subscribe => File["/var/tmp/${tempname}"], notify => $notify,}

Puppet Module Rootless

GitHub GoGo!

https://github.com/UTIWorldwide/puppet-module-rootless

puppet module install utiworldwide/rootless

Puppet Master as nonroot

3 Plabs Software

Puppet

Hiera

Facter

Puppet Master as nonroot

Other Software

Apache

Passenger

Libyaml

Libapr

Two generationsFirst Generation

Installed everything to /opt

Apache + libapr separate

Ruby, yaml separate

Puppet, facter, hiera conjoined

Two generationsProblems with first gen

No central log location

No way to upgrade

Conf files akwardly all over the place

Rack dir lived under puppet dir

Two generations

New generation

Everything rooted under a $HOME/local

BSD Ports style

Hiera, puppet, facter running from source

'init' scripts for everything in local/etc

Logs all go to local/var

Installation pointsUse a bash function to expose the puppet command

puppet () { . $FAKE_ROOT/bin/.ruby_setup.sh

$FAKE_ROOT/opt/puppet/bin/puppet $@\ --confdir=$FAKE_ROOT/etc/puppet

}

Installation pointsPassenger 4 reads your .bashrc, check for tty before

getting fancy

if `tty -s`; then if env | grep TMOUT >/dev/null; then exec env -u TMOUT bash fi fi

Installation pointsSet LD_LIBRARY_PATH and RUBYLIB at the last

possible second, in the puppet function or inetc/init.d/httpd

Installation pointsBuild passenger on an equivalent system and rsync it up,

its dependencies are many, and installing libcurl andopenssl from source is hard.

Installation pointsTry to keep your env as similar to a rooted environment as

you can.Tell lies to tell the truth.

Outro

Questions?

Spencer Krum

github.com/nibalizer

nibalizer on irc.freenode.net

Book from Apress

http://www.apress.com/9781430260400

Top related

PuppetConf 2016: Nano Server, Puppet, and DSC
Technology
Package manages and Puppet - PuppetConf 2015
Software
Getting Started with Puppet - PuppetConf 2013
Documents
Puppet Design Patterns - PuppetConf
Software
Test-Driven Puppet Development - PuppetConf 2014
Technology
Puppet Labs Partner Network - PuppetConf 2014
Technology
Puppet Language 4.0 - PuppetConf 2014
Technology
PuppetConf 2016: Docker, Mesos, Kubernetes and...Puppet? Don't Panic! – Deepak Giridharagopal, Puppet
Technology
Puppet at GitHub - PuppetConf 2013
Technology
Puppet for Windows Users - PuppetConf 2014
Technology
PuppetConf 2016: The Future of Testing Puppet Code – Gareth Rushgrove, Puppet
Technology
Packaging Software, Puppet Labs Style - PuppetConf 2014
Technology
PuppetConf 2016: Puppet on Windows – Nicolas Corrarello, Puppet
Technology
Puppet for Everybody! - Federated and Hierarchical Puppet Enterprise - PuppetConf 2014
Technology
Puppet for Production in WebEx - PuppetConf 2013
Technology
Manageable Puppet Infrastructure - PuppetConf 2014
Technology
PuppetConf track overview: Puppet Applied
Software
Auditing/Security with Puppet - PuppetConf 2014
Technology
PuppetConf 2016: Keynote - Luke Kanies, Puppet Founder
Technology
Test Driven Development with Puppet - PuppetConf 2014
Technology

Copyright © 2018 DOCUMENTS