3. hi, Iâm joe!
⢠i think these things are cool:
⢠computer programs
⢠reproducible builds / infrastructure
⢠automation
⢠conďŹguration management
⢠tahdig*
* an rice food
4. packagecloud.io
⢠I work on packagecloud.io
⢠packagecloud makes it easy to upload,
download, store, and delete software packages
⢠you should use it, itâs cool.
7. Why?
⢠Central to maintaining, building, and testing
infrastructure.
⢠Packages are a primitive in Puppet.
⢠Understanding where packages come from, and how
to store them properly is a requirement for
infrastructure of any size.
⢠Packages and packaging are much trickier than they
seem!
8. Overview
⢠what is a package?
⢠what is a package manager?
⢠./conďŹgure && make && make install pattern
⢠open source tools for package repositories
⢠HOWTO manage repos in your infra with puppet
9. What is a package?
Beck Gusler, https://ďŹic.kr/p/4A15jm
10. What is a package?
⢠A package generally consists of:
⢠metadata (version, architecture, deps, etc)
⢠ďŹles to be written to the ďŹlesystem (/usr/sbin/
nginx, etc)
12. Common package types
⢠RPM packages
⢠Used on CentOS, RHEL, ScientiďŹc Linux, Fedora, âŚ
⢠ďŹles typically have the â.rpmâ ďŹle extension
⢠can be inspected, installed, and removed with rpm
⢠are actually a:
⢠header structure (binary data)
⢠CPIO archive
15. Common package types
⢠Deb packages:
⢠Used on Ubuntu, Debian, Knoppix, âŚ
⢠ďŹles typically have the â.debâ ďŹle extension
⢠can be inspected, installed, and removed with
dpkg
16. Common package types
⢠Deb packages:
⢠are actually an AR archive with:
⢠version ďŹle: the debian format version
⢠data.tar.gz: the actual ďŹles to write to the ďŹlesystem
⢠control.tar.gz: the package metadata
⢠Can be GPG signed, but signatures are never checked!
18. Common package types
⢠There are lots more! (ruby gems, npm, java,
python, âŚ)
⢠Some packaging systems also have source
packages.
19. What is a source package?
⢠A source package consists of:
⢠metadata (version, architecture(s), build deps,
etc).
⢠source ďŹles (C source, C++ source, py scripts,
etc).
⢠Allows you to rebuild a binary package easily.
20. Install packages with puppet
Use the resource type âpackageâ to install packages:
package { 'pygpgme':
ensure => latest,
}
21. Install packages with puppet
package { 'pygpgme':
ensure => â0.3-11â,
}
Specify the version you want by setting ensure:
22. Summary
⢠Packages are a collection of ďŹles with metadata.
⢠The metadata usually has info like:
⢠architecture
⢠version
⢠dependency info
⢠and more.
⢠Installation is easy if you donât have dependencies.
24. Dependencies
⢠Installing 1 package is as easy as:
⢠dpkg -i ďŹlename.deb
⢠rpm -ivh ďŹlename.rpm
⢠Of course, you should use puppet instead :D
⢠But what if your program needs other programs?
⢠For example: nginx depends on libssl, zlib, âŚ
27. Package manager
⢠A package manager is a collection of software
that allows you to:
⢠install, upgrade, remove packages
⢠query package info from local system or repos
⢠Some tools include more advanced features like
mirroring or more advanced caching features.
29. ⢠yum (Yellowdog Updater, ModiďŹed)
⢠Common on RHEL, CentOS, Fedora, âŚ
⢠Used for installing, removing, conďŹguring, and
querying RPM packages and dependencies.
Common package managers
31. Common package managers
⢠APT (Advanced Package Tool)
⢠Common on Debian, Ubuntu, KNOPPIX, âŚ
⢠Used for installing, removing, conďŹguring, and
querying Debian packages and dependencies.
32. Install packages with puppet
⢠When you install packages with puppet, puppet
will automatically detect which package
manager to use.
⢠You wonât need to worry about which command
to run, or what options to pass; puppet will take
care of that for you!
33. Summary
⢠package managers help you install software and
associated dependencies
⢠easily remove, upgrade, and query packages
⢠Puppet will automatically detect the systemâs
package manager when you install a package.
35. A problem
⢠You run Ubuntu 10.04 LTS
⢠You want to install redis
⢠Ubuntu 10.04 comes with redis-server 1.2.0-1
⢠Thatâs too old! You need 2.8.19!
⢠So, now what?
36. Common (not great) solution
⢠A common solution to this sort of problem is
building redis (or ruby, or âŚ) from source in your
puppet manifest
⢠Like thisâŚ.
38. Why?
⢠Itâs easy!
⢠./conďŹgure && make && make install
⢠It works!
⢠Iâm using puppet so itâs reproducible!
39. ButâŚ
⢠What happens if you need to:
⢠completely remove Redis?
⢠install a security update?
⢠install a new version?
⢠install the same exact Redis on 200 machines?
40. The not-so great side
⢠Not all MakeďŹles have uninstall targets, so you
have to remove ďŹles manually
⢠Leaving artifacts on the ďŹlesystem can cause
really, really hard to debug problems later
⢠If the build process changes version to version,
it can be painful to rollback
41. The not-so great side
⢠Rebuilding the same source does not necessarily
get you the same byte-for-byte binary
⢠If the binaries arenât identical, you can end up
with bugs in some of the compiled binaries but
not others
⢠Painful to recreate source builds inside of puppet
⢠Makes writing tests for manifests painful
42. Make a package
⢠Install the same binary on every machine
⢠When the package is removed, all installed ďŹles are
removed
⢠Versioning of build process built in (with most tools)
⢠Keep your puppet manifests about conďŹg
management
⢠Your build steps are âfactored outâ into the package
43. Your new puppet manifest
package { 'redis':
ensure => latest,
}
44. Your package
⢠Your build steps get encapsulated in the package
itself
⢠Makes iterating on the build more straight forward
⢠Donât need to apply (potentially) a bunch of
manifests to a machine every time you do a build
51. Tradeoffs
⢠Once you learn how to make packages you can
build reproducible infrastructure much more
easily
⢠You can use your prod environment in dev and
test
⢠You can more easily build tests for your
infrastructure with beaker/kitchen.ci
53. âHow do I store and
organize my packages?â
54. Package repositories
⢠Major linux distributions keep repositories of
packages for users:
⢠EPEL
⢠Ubuntu / Debian ofďŹcial repositories
⢠You can store a package and its dependencies to
make it easy to install them all on your infrastructure
56. Package repositories
⢠createrepo: creates yum repositories
⢠reprepro: creates apt repositories
⢠Many other free tools available!
⢠Read the documentation carefully. Lots of tricky
options.
⢠Iâll show some examples to get you started!
59. GPG is important
⢠Using GPG to sign the generated repository
guarantees that you generated the repository.
⢠This is important.
⢠This means that no one else modiďŹed, removed, or
inserted a package other than you.
⢠GPG signing the repository is not a very well known
security measure, but it is incredibly important!
⢠This is NOT the same as using rpmsign/rpm --sign.
60. Secure YUM repos
⢠Sign repository metadata with GPG
⢠Sign packages with GPG (use rpmsign)
⢠Serve repositories over SSL
⢠Enable all the right options for SSL veriďŹcation,
repository GPG checking, AND package GPG
checking.
61. Wouldnât it be cool to do all
that with Puppet instead?
Good news: you can!
64. You still need to GPG sign
the repository yourself :(
exec { âgpg_sign_yumrepoâ:
command => âgpg --detach-sign --armor
/var/yumrepos/yumrepo/repodata/repomd.xmlâ,
}
66. Add YUM repos with puppet
yumrepo { 'my_repo':
baseurl => "http://myurl.com/repo",
gpgcheck => 1,
repo_gpgcheck => 1,
gpgkey => âhttp://myurl.com/gpg.pub.keyâ,
sslverify => 1,
sslcacert => â/etc/pki/tls/certs/ca-bundle.crtâ,
enabled => 1,
}
most people never turn on repo_gpgcheck or
sslverify, or set the ssl certiďŹcate path, but you
should!!
67. But thatâs not all!
⢠You MUST have the âpygpgmeâ package
installed on the system that will verify the
signatures.
⢠Without pygpgme, yum will not be able to verify
signatures!
⢠Some versions of CentOS / RHEL do not
automatically install pygpgme with yum!!
68. Make sure to install pygpgme
package { 'pygpgme':
ensure => latest,
}
72. reprepro
⢠You can add more sections if you need more code
names (lucid, trusty, etc).
⢠SignWith speciďŹes which GPG key to use for signing
repository metadata
⢠You can get your gpg key ID by looking at the output
of gpg âlist-keys
⢠This is not the same as using debsigs/debsign !!!
80. But thatâs not all!
⢠You MUST have the âapt-transport-httpsâ package
installed on the system if your repository is served
over HTTPS!
⢠Without apt-transport-https, you canât install
packages over HTTPS.
⢠You deďŹnitely want this.
81. Make sure to install apt-transport-https
package { âapt-transport-httpsâ:
ensure => latest,
}
83. Success
⢠You can now use beaker/kitchen.ci/etc to test your
infrastructure.
⢠Determine if the packages you need are actually
installed after your manifests are applied.
⢠Determine if the repositories you added are
actually added after your manifests are applied.
⢠Donât need to wait forever for Ruby, redis, et al to
build during a test run.
84. BEST OF ALL !!!!
⢠You can now run Puppet on your development
VM using the same manifests you use in
production
⢠The manifests are applied and you are running
the same exact binaries you run in production
⢠Wonât catch ALL production bugs, but getting
closer to production during development is
super useful
85. Summary
⢠Creating package repositories can be tricky. Make
sure to GPG sign repository metadata.
⢠99% of package repositories get this wrong.
⢠Carefully read the documentation of createrepo and
reprepro.
⢠Make sure to install necessary libraries for verifying
signatures and accessing repositories via HTTPS.
⢠Always serve up your repositories over HTTPS.