Dependency management with Puppet

• http://rcrowley.org/talks/pycon-2011/index.html

Hi, I’m Richard Crowley

• Equal opportunity technology hater.
• DevStructure’s operator and UNIX hacker.

Install Puppet

sudo apt-get -y install ruby rubygems
sudo gem install --no-rdoc --no-ri puppet

• You want 2.6 or better.
• Ubuntu Lucid and pretty much
  every Red Hat should use RubyGems.

Configuration management

• Express all dependencies in a
  legible and iterable format.

pip freeze

• Not good enough.

Resources

• The smallest unit of configuration.
• Have a type, a name, and parameters.

Resources

package { "python":
    ensure => installed,
    provider => apt,
}

Resources

package { "python":
    ensure => "2.6.6-2ubuntu1",
    provider => apt,
}

Resources

package { "python":
    ensure => latest,
    provider => apt,
}

Resources

package {
    "build-essential":
        ensure => installed,
        provider => apt;
    "python":
        ensure => installed,
        provider => apt;
    "python-dev":
        ensure => installed,
        provider => apt;
    "python-setuptools":
        ensure => installed,
        provider => apt;
}

Resource types

• There’s more to life than
  package management.

Users and groups

group { "rcrowley":
    ensure => present,
    gid => 1000,
}
user { "rcrowley":
    ensure => present,
    gid => 1000,
    uid => 1000,
}

Authorized keys

ssh_authorized_key { "Richard's VM":
    ensure => present,
    key => "AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ",
    type => "ssh-rsa",
    user => "rcrowley",
}

Services

service { "apache2":
    enable => true,
    ensure => running,
    hasstatus => true,
}

Generic resource types

exec and file

Arbitrary commands

exec { "easy_install pip":
    path => "/usr/local/bin:/usr/bin:/bin",
    unless => "which pip",
}

template function

template("python/pip.conf.erb")

• Argument: special pathname.
• Result: string rendered from ERB.

pip.conf.erb template

[install]
user-mirrors = true
mirrors =
    http://pypi.<%= domainname %>
    http://pypi.python.org

Facts

• facter | less
• facter factname
• Normalized names for
  dozens of system parameters.

Running Puppet manifests

• sudo puppet apply pathname
• --noop and --verbose are handy.

Composing resources

Classes

• Singleton collections of resources.

Using classes

include python

• include is a shorthand function.

Using classes

class { "python": }

• Class instances are just resources.

Parameterized classes

class foo($bar = "baz") {}

class { "foo": bar => "quux" }

• Like any resource,
  classes may accept parameters.

Composing resources

Definitions

• Resource types expressed as Puppet code.

Using definitions

pip { "mysql-python": ensure => installed }

Variables and expressions

Further reading

• http://bit.ly/puppet-variables
• http://bit.ly/puppet-expressions
• http://bit.ly/puppet-conditionals

Ruby plugins

• For when definitions aren’t good enough.
• Implementation details are
  beyond the scope of this talk.

gem install puppet-pip

• Ruby implementation of a provider
  for the package resource type.
• Submitted to be included in
  the next release of Puppet.

Using puppet-pip

package { "mysql-python":
    ensure => installed,
    provider => pip,
}

Modules

/etc/puppet/
    manifests/
        nodes.pp
        site.pp
    modules/
        python/
            manifests/
                init.pp
                foo.pp

• Code organization pays dividends.

modules/python/ manifests/init.pp

class python {
    # ...
}

modules/python/ manifests/foo.pp

class python::foo {
    # ...
}

Module autoloading

• include python will expect the python class in modules/python/manifests/init.pp.
• Templates referenced as template("python/foo.erb") will render modules/python/templates/foo.erb.

Running Puppet modules

• sudo puppet apply -e "include classname"
• --noop and --verbose are still handy.

Which modules are applied to which servers?

Nodes

node default {
    include python
}

node /^www\d+\./ inherits default {
    include apache
    include django
}

node "mail.example.com" inherits default {
    include lamson
}

• Conventionally in manifests/nodes.pp.

manifests/site.pp

Exec {
    path => "/usr/local/bin:/usr/bin:/bin",
}

import "nodes"

• Default entrypoint.

Running Puppet catalog

• sudo puppet apply /etc/puppet/manifests/site.pp
• --noop and --verbose are still handy.

Django module

class django {
    package {
        "django":
            ensure => "1.2.5",
            provider => pip;
        "mysql-python":
            ensure => installed,
            provider => pip;
    }
}

A bug!

class django {
    package {
        "django":
            ensure => "1.2.5",
            provider => pip;
        "mysql-python":
            ensure => installed,
            provider => pip;
    }
}

Declare all dependencies

class django {
    package {
        "django":
            ensure => "1.2.5",
            provider => pip;
        "libmysqlclient-dev":
            ensure => installed;
        "mysql-python":
            ensure => installed,
            provider => pip;
    }
}

Nondeterminism!

class django {
    package {
        "django":
            ensure => "1.2.5",
            provider => pip;
        "libmysqlclient-dev":
            ensure => installed;
        "mysql-python":
            ensure => installed,
            provider => pip;
    }
}

before and require

• One resource can require another.
• One resource can come before another.

Why all the fuss?

• Python packages are ignorant of
  lower-level dependencies.
• For example, libmysqlclient-dev.
• Explicit is better than implicit.

notify and subscribe

• Complementary just like before and require.
• Notified exec resources run their command.
• Notified service resources
  restart the service.

Deploy

Puppet master

• Deploy your Puppet code only to the master.
• Agents phone home periodically
  to fetch their configuration.

Puppet master

• sudo puppet master
• Drops privileges after starting.
• Can be run by Apache or Nginx if needed.

Puppet agent

• Daemon or cron job that phones home.

An agent’s /etc/puppet/puppet.conf

[main]
    server = puppet.example.com

• Accept defaults otherwise.
• See http://bit.ly/puppet-config-ref.

Puppet agent

• sudo puppet agent --no-daemonize --onetime
• First time will fail in SSL client verify.

Sign SSL certificates

Tell the master the agent is cool

• sudo puppet cert -l
• sudo puppet cert -s hostname

Puppet agent

• sudo puppet agent --no-daemonize --onetime
• If certificates verify, it receives
  and executes a catalog.
• --noop and --verbose are still handy.

Why should I bother with Puppet master?

Exported resources

[main]
    server = puppet.example.com

    dbadapter = mysql
    dbname = puppet
    dbpassword = puppet
    dbserver = localhost
    dbuser = puppet

[master]
    thin_storeconfigs = true

• Run MySQL on the master.

Exported resources

node /^www\d+\./ inherits default {
    include apache
    include django
    @@nagios_host { "$hostname":
        address => "$ipaddress",
        hostgroups => ["www"],
        use => "generic-host",
        # ...
    }
}

node "ops.example.com" inherits default {
    include nagios
    Nagios_host<<||>>
}

Blueprint

• If all that sounds like a lot of trouble...
• blueprint(1) reverse engineers servers to generate Puppet code.
• https://github.com/devstructure/blueprint
• http://devstructure.com/

Thank you

• richard@devstructure.com or @rcrowley
• P.S. I’m available for Puppet
  and operations consulting.