Presented by
Any input to infrastructure is configura)on
Presented by
Configura3on management: managing those inputs
over )me at scale
Presented by
Configura3on management: managing those inputs
over )me at scale
Presented by
Configura3on management: managing those inputs
over 3me at scale
Presented by
Puppet’s circle of change
Presented by
A basic manifestclass webserver {
package { 'httpd': ensure => latest } -> file { '/etc/httpd/conf.d/local.conf': ensure => file, mode => 644, source => 'puppet:///modules/httpd/local.conf', } -> service { 'httpd': ensure => running, enable => true, subscribe => File['/etc/httpd/conf.d/local.conf'], }
}
Presented by
Override via inheritanceclass webserver2 inherits webserver { File['/etc/httpd/conf.d/local.conf'] { source => 'puppet:///modules/httpd/other-local.conf', } }
Presented by
The site-wide manifestnode host1.example.com { class { 'webserver': } } node host2.example.com { class { 'webserver2': } } node host3.example.com { class {'mongodb::server': port => 27018 } }
Presented by
Infrastructure as Code
Presented by
http://www.partialhospitalization.com/2010/08/363/
Presented by
Presented by
Managing cloud resources
puppetlabs/puppetlabs-aws
Presented by
Instance managementec2_instance { 'name-of-instance': ensure => present, region => 'us-east-1', availability_zone => 'us-east-1a', image_id => ‘ami-ttylinux', instance_type => 't1.micro', monitoring => true, key_name => 'name-of-existing-key', security_groups => ['group1', 'group2'], user_data => template('module/user-data.erb') }
Presented by
Managing instance content
Presented by
Dataflow in Puppet
Presented by
Certificate signing
Presented by
Certificate signing
Presented by
Certificate signing
Presented by
Certificate signing
Presented by
Certificate signing
Who checks ?
Presented by
Node creation
Presented by
Node creation
Presented by
Presented by
Presented by
Presented by
Presented by
Autosign script
Presented by
Certsigner setupMaster • Write autosigning script • Configure autosigning script
Nodes • Put secrets into /etc/puppet/csr_attributes.yaml
ONE Client • Pass secret through Userdata
Presented by
CSR Extension RequestsUUID pp_uuid
Instance ID pp_instance_id
Image Name pp_image_name
Preshared Key pp_preshared_key
Role pp_role (still to come)
Private Private, site-specific attributes
Presented by
Building images
Presented by
Building images• invent ‘fake’ hostnames
<image-name>.images.example.com
• use Puppet at instance launch to ‘personalize’ image
Presented by
Masterless: puppet apply# yum -y install puppet
# git clone https://git.example.org/manifests
# export FACTER_hostname=img1.images.example.com
# puppet apply --modulepath manifests/modules/ \ manifests/site.pp
# rm -rf manifests/
Presented by
Masterless: puppet apply• easy to set up
• leaves no trace on the Puppet master
• no PuppetDB
• no Node Classifier
Presented by
With master: puppet agent• those pesky SSL certificates again
• pregenerate and copy into builder
• certsigner + allow_duplicate_certs on master
• uses full master infrastructure
Presented by
Managing ONE infrastructure
epost-dev/opennebula-puppet-module
Presented by
ONE Puppet Moduleone Install ONE Master/Sunstone
onehost Create ONE Host
oneimage Create ONE Image
onetemplate Create ONE template
onevnet Create ONE net
Presented by
Provisioning hosts with Razor
Presented by
Razor in a nutshell• iPXE
• Node Discovery
• Stay focussed
Presented by
How it worksMicrokernel sends facts
Presented by
How it worksMatch Tags
Presented by
How it worksFind Policy
Presented by
How it worksBasic OS installed
Managed by Puppet
Presented by
Moving pieces
Repo What to install ISO contents
Task How to install Installer scripts
Broker How to manage PE agent install
Tag Where to install Named match rule
Policy Combine it all Ordered table
Presented by
Summary• Puppet forge for module sharing
• puppetlabs-aws module
• mrzarquon’s certsigner
• epost-dev’s opennebula-puppet-module
• Razor for flexible provisioning of hardware
Presented by
Questions ?
Presented by
Links• http://forge.puppetlabs.com
• puppetlabs/puppetlabs-aws module
• https://github.com/ahpook/mrzarquon-certsigner/tree/eric0_wip
• http://watzmann.net/blog/2014/06/puppet-autosign-policy.html
Presented by
Links (cont’d)• https://github.com/epost-dev/opennebula-puppet-module
• https://github.com/puppetlabs/razor-server
• Puppet Enterprise: http://puppetlabs.com/puppet/puppet-enterprise