Puppet DSL: Back to the basics

Julien Pivotto (@roidelapluie)

Config Management Camp Ghent

February 2017

$::userJulien Pivotto

@roidelapluie on irc/github/twitter

Puppet user since 2011 (Puppet 0.24)

VoxPupuli member (& security officer)

inuits

ScopeWhat didn't we notice in Puppet DSL over thelast years?

How much backwards compatibility?

Why?There are lots of new exciting features

But the puppet DSL has a strong trunk

Puppet 3 is EOL, so we can use most of thesethings

ToolingPuppet parser validate

Puppet-lint 2 (with plugins)

$EDITOR puppet syntax

Custom factsFACTER_bootstrap=true puppet agent ­­test

Useful for 1-time facts, or overwriting existingfacts (e.g ipaddress) without code.

Puppet DSL

The File resourcefile { '/etc/motd'  ensure  => file,  content => 'foobarbarfoofoobar',}

content => file()file { '/etc/motd':  ensure  => file,  content => file("${module_name}/motd")}

For small, text files (file content is in the catalog)

Since Puppet 3.7.0

validate_cmdfile { '/etc/corosync/corosync.conf':  ensure       => file,  validate_cmd => '/usr/sbin/corosync ­t %',}

Verify the file before replacing it

Since Puppet 3.5.0Alternative in stdlib for older versions

show_difffile { '/etc/app/secrets':  content   => 'my secret content',  show_diff => false,}

Since Puppet 3.2.1

replacefile { '/etc/installtime':  content   => template('date.erb'),  replace => no,}

Since Puppet 0.19.0

backupfile { '/etc/hosts':  content => template('hosts.erb'),  backup => '.bak',}

Since a very long time...

sourcefile {  '/etc/issue.net':    source => '/etc/motd'}

Since a very long time...

autorequiresDon't do:

file {  '/tmp':}

file {  '/tmp/foo':    require => File['/tmp'],}

because files auto-require their parents (andowners, groups...)

Since Puppet 0.10.2

other autorequiresExec, Cron require their users

Mount require its parents

Exec requires its File[cwd]

other autodependenciesresources types can implement autonotify andautosubscribe

(this is used in puppet-corosync)

Since Puppet 4.0.0

nooppackage {  'ntpd':    ensure => latest,    noop   => true,}

noop is not only a global setting - it is also ametaparameter that can be applied to anyresource

Present since a very long time...

purging resourcesresources {  'cron':    purge => true,    noop  => true,}

Present since Puppet 0.22.0Present since 3.5.0 (for cron resources)

exec triesexec {  '/bin/wget 127.0.0.1':    tries     => 10,    try_sleep => 1,}

Present since Puppet 2.6.0

arraysfile {  '/usr/bin/sometimesexecutable':    mode => ['0755', '0644']}

Will accept both modes, and set 0755 if notmatching.Can be used with most of the properties.

Since Puppet 0.23.1

Requirementsdefine foo::bar {  Package['foo'] ­> Foo::Bar[$name]}

Is the same as:

foo::bar {'barfoo':  require => Package['foo']}

AliasesInstead of:

file { "/tmp/foo/bar/bar.foo/foobar":  ensure => file,}service { 'barfoo':  require => File["/tmp/foo/bar/bar.foo/foobar"}

AliasesUse:

file {"/tmp/foo/bar/bar.foo/foobar":  ensure => file,  alias  => 'foobar'}service {'barfoo':  require => File["foobar"]}

Since a very long time...

Loglevelexec {  '/bin/mybrokenexec':    loglevel => debug,}

Since Puppet 0.23.1

Next to the DSL...

The Puppet resource face$ puppet resource file /home/u/.vimrcfile { '/home/u/.vimrc':  ensure  => 'file',  content => '{md5}d414e9800998ecf8427e',  ctime   => '2017­02­06 10:09:05 +0100',  group   => '1000',  mode    => '0644',  mtime   => '2017­02­06 10:09:05 +0100',  owner   => '1000',  type    => 'file',}$ puppet resource file .hushlogin mode=0755

Since Puppet 2.7

PluginsyncIm modules:

lib/puppet/reports/prometheus.rblib/augeas/lenses/tmpfiles.aug

Julien Pivottoroidelapluie

roidelapluie@inuits.eu

Inuitshttps://inuits.euinfo@inuits.eu

Contact