Presented by

OpenNebula and PuppetDavid Lutterkort Puppet Labs @lutterkort lutter@puppetlabs.com

Presented by

Any  input  to  infrastructure  is  configura)on  

Presented by

Configura3on  management:    managing  those  inputs  

over  )me  at  scale

Presented by

Configura3on  management:    managing  those  inputs  

over  )me  at  scale

Presented by

Configura3on  management:    managing  those  inputs    

over  3me  at  scale

Presented by

Puppet’s circle of change

Presented by

A basic manifestclass webserver {

package { 'httpd': ensure => latest } -> file { '/etc/httpd/conf.d/local.conf': ensure => file, mode => 644, source => 'puppet:///modules/httpd/local.conf', } -> service { 'httpd': ensure => running, enable => true, subscribe => File['/etc/httpd/conf.d/local.conf'], }

}

Presented by

Override via inheritanceclass webserver2 inherits webserver { File['/etc/httpd/conf.d/local.conf'] { source => 'puppet:///modules/httpd/other-local.conf', } }

Presented by

The site-wide manifestnode host1.example.com { class { 'webserver': } } node host2.example.com { class { 'webserver2': } } node host3.example.com { class {'mongodb::server': port => 27018 } }

Presented by

Infrastructure  as  Code

Presented by

http://www.partialhospitalization.com/2010/08/363/

Presented by

Presented by

Managing cloud resources

puppetlabs/puppetlabs-aws

Presented by

Instance managementec2_instance { 'name-of-instance': ensure => present, region => 'us-east-1', availability_zone => 'us-east-1a', image_id => ‘ami-ttylinux', instance_type => 't1.micro', monitoring => true, key_name => 'name-of-existing-key', security_groups => ['group1', 'group2'], user_data => template('module/user-data.erb') }

Presented by

Managing instance content

Presented by

Dataflow in Puppet

Presented by

Certificate signing

Presented by

Certificate signing

Presented by

Certificate signing

Presented by

Certificate signing

Presented by

Certificate signing

Who  checks  ?

Presented by

Node creation

Presented by

Node creation

Presented by

Presented by

Presented by

Presented by

Presented by

Autosign  script

Presented by

Certsigner setupMaster • Write autosigning script • Configure autosigning script

Nodes • Put secrets into /etc/puppet/csr_attributes.yaml

ONE Client • Pass secret through Userdata

Presented by

CSR Extension RequestsUUID pp_uuid

Instance ID pp_instance_id

Image Name pp_image_name

Preshared Key pp_preshared_key

Role pp_role (still to come)

Private Private, site-specific attributes

Presented by

Building images

Presented by

Building images• invent ‘fake’ hostnames

<image-name>.images.example.com

• use Puppet at instance launch to ‘personalize’ image

Presented by

Masterless: puppet apply# yum -y install puppet

# git clone https://git.example.org/manifests

# export FACTER_hostname=img1.images.example.com

# puppet apply --modulepath manifests/modules/ \ manifests/site.pp

# rm -rf manifests/

Presented by

Masterless: puppet apply• easy to set up

• leaves no trace on the Puppet master

• no PuppetDB

• no Node Classifier

Presented by

With master: puppet agent• those pesky SSL certificates again

• pregenerate and copy into builder

• certsigner + allow_duplicate_certs on master

• uses full master infrastructure

Presented by

Managing ONE infrastructure

epost-dev/opennebula-puppet-module

Presented by

ONE Puppet Moduleone Install ONE Master/Sunstone

onehost Create ONE Host

oneimage Create ONE Image

onetemplate Create ONE template

onevnet Create ONE net

Presented by

Provisioning hosts with Razor

Presented by

Razor in a nutshell• iPXE

• Node Discovery

• Stay focussed

Presented by

How it worksMicrokernel sends facts

Presented by

How it worksMatch Tags

Presented by

How it worksFind Policy

Presented by

How it worksBasic OS installed

Managed by Puppet

Presented by

Moving pieces

Repo What to install ISO contents

Task How to install Installer scripts

Broker How to manage PE agent install

Tag Where to install Named match rule

Policy Combine it all Ordered table

Presented by

Summary• Puppet forge for module sharing

• puppetlabs-aws module

• mrzarquon’s certsigner

• epost-dev’s opennebula-puppet-module

• Razor for flexible provisioning of hardware

Presented by

Questions ?

Presented by

Links• http://forge.puppetlabs.com

• puppetlabs/puppetlabs-aws module

• https://github.com/ahpook/mrzarquon-certsigner/tree/eric0_wip

• http://watzmann.net/blog/2014/06/puppet-autosign-policy.html

Presented by

Links (cont’d)• https://github.com/epost-dev/opennebula-puppet-module

• https://github.com/puppetlabs/razor-server

• Puppet Enterprise: http://puppetlabs.com/puppet/puppet-enterprise