SlideShare ist ein Scribd-Unternehmen logo

From SaltStack to Puppet and beyond...

Y
Yury Bushmelev

This is story of our journey from SaltStack to Puppet and beyond. This talk will answer following questions: - why we moved from SaltStack - why Puppet was chosen - how to use Puppet OpenSource in painless way - which orchestration tool to use with Puppet - what is next

Technologie
1 von 53
Downloaden Sie, um offline zu lesen
From SaltStack to Puppet and beyond... Yury Bushmelev SP Digital
What is the scale? • Over 100 developers • A lot of products • Just 6 ppl in Digital Infra team at the moment • About 200 VMs in Azure cloud
What's wrong with Salt? From teamwork/long-term support perspective: • It's feels inconsistent • It's error prone and hard to debug • It's YAML • It's Jinja2 on top of YAML • It's impossible to lint • It's impossible to unit-test
Why Puppet? • I'll explain during my talk :-D
Why Puppet? From teamwork/long-term support perspective: • Agent • Domain Specific Language (declarative!) • Lint/Syntax checks • RSpec for unit tests, ServerSpec for acceptance tests • Hiera (hierarchical database, auto-lookup) • Ruby ecosystem (gems!)
Why OpenSource Puppet? Because we can!
But I heard/experienced... • Puppet is complex/hard to learn/hard to use • Infra code development is slower with Puppet • ... ?
Puppet
Puppet is about the state!
Puppet is about the state • The code you write in Puppet DSL (your manifests) is compiled by Puppet master into the catalog • Catalog is a document describing the desired state of every managed resource on a node • Agent on a node will call its providers to bring the node to desired state according to catalog records https://puppet.com/docs/puppet/latest/subsystem_catalog_compilation.html#the-catalog-compilation-process
Puppet is about the state Again: • It's NOT sequence of steps to bring system to the state! • It IS the state!
Puppet is about the state That's why e.g.: • You cannot easily move/rename file on a node's filesystem if you're not managing it • You cannot easily read a file from a node to use it in your manifest* • You cannot just execute a binary on a node then do something depending on the result* * Though you may use facts for this
Puppet is about the state • You must take care when renaming/moving things: • Ensure old resource is absent • Ensure new resource is present • It's usually good to keep both in the state for a while
Puppet is about the state of a node • You cannot easily do changes on multiple nodes in defined order (do Kafka cluster rolling upgrade e.g.) using just Puppet* * Though you may do it using orchestration tool!
How to use Puppet in painless way
VCS & CI/CD FTW!
Control repo [Git] repository where your Puppet manifests resides... ... and hiera data ... and unit/integration/acceptance tests ... and more
Control repo examples • Puppetlab: https://github.com/puppetlabs/control-repo • Azalio: https://github.com/azalio/control-repo • PSICK: https://github.com/example42/psick
Roles & Profiles • Role is... just VM "role" (e.g. PostgreSQL server, Puppet master, Kafka broker, ...) • Node can have only one role • Role may contain multiple profiles • Role is not configurable (cannot take any parameters) • Profile is class describing single logical unit (e.g. docker, ssh, consul agent). Profile is configurable (can take parameters from Hiera e.g.). https://puppet.com/docs/pe/latest/the_roles_and_profiles_method.html
Profiles • profile::common::packages • profile::prometheus::node_exporter • profile::puppet::agent
But how to attach the role to the server? • Based on hostnames - do not use it (do not encode metadata in your hostnames) • Based on trusted facts (DO NOT use non-trusted facts for this) • Using External Node Classifier (ENC) • Hiera may be used as ENC
–Puppet documentation “Hiera is a built-in key-value configuration data lookup system, used for separating data from Puppet code.” Hiera
Hiera--- version: 5 defaults: # Used for any hierarchy level that omits these keys. datadir: data # This path is relative to hiera.yaml's directory. data_hash: yaml_data # Use the built-in YAML backend. hierarchy: - name: "Per-node data" # Human-readable name. path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. - name: "Per-datacenter business group data" # Uses custom facts. path: "location/%{facts.whereami}/%{facts.group}.yaml" - name: "Global business group data" path: "groups/%{facts.group}.yaml" - name: "Per-OS defaults" path: "os/%{facts.os.family}.yaml" - name: "Common data" path: "common.yaml"
Hiera data/common.yaml data/product data/product/devops_prod.yaml data/product/devops_qa.yaml data/os/RedHat-7.yaml data/os/Ubuntu-16.04.yaml data/os/Ubuntu-18.04.yaml data/node/puppetmaster.tld.yaml hiera.yaml - name: "Yaml backend" data_hash: yaml_data paths: - "node/%{trusted.certname}.yaml" - "product/%{product}_%{env}.yaml" - "os/%{facts.os.name}-%{facts.os.release.major}.yaml" - "os/%{facts.os.name}.yaml" - "common.yaml"
Hiera automatic parameters lookup data/common.yaml profile ::container ::docker ::ensure: present profile ::container ::docker ::storage_driver: 'overlay2' profile ::container ::docker ::log_opts: 'max-size': '10m' /data/node/podmantest.tld.yaml profile ::container ::docker ::ensure: absent site-modules/profile/manifest/container/docker.pp # Install and configure docker class profile ::container ::docker ( Enum['absent', 'present'] $ensure = 'present', Optional[String] $storage_driver = undef, Optional[Hash] $log_opts = undef, ... ) { ... }
CI/CD steps • Checkout the control repo (usually done by your CI/CD software) • Run syntax and style checks • Run unit tests/integration tests/acceptance tests • Deploy manifests and modules onto every Puppet server you have
Puppet Development Kit • PDK provides integrated testing tools and a command line interface to help you develop, validate, and test modules.
 pdk new module <module_name>
 pdk validate
 pdk test unit • https://puppet.com/docs/pdk/1.x/pdk.html
Puppet-lint • Check that your Puppet manifests conform to the style guide • https://github.com/rodjek/puppet-lint
Puppet-syntax • Syntax checks for Puppet manifests and templates •puppet parser validate **/*.pp • https://github.com/voxpupuli/puppet-syntax
RSpec-puppet • RSpec tests for your Puppet manifests • https://github.com/rodjek/rspec-puppet/
Onceover • Onceover is a tool to automatically run basic tests on an entire Puppet controlrepo. • https://github.com/dylanratcliffe/onceover
Puppet-litmus • Providing a simple command line tool for puppet content creators, to enable simple and complex test deployments • Puppet acceptance tests using ServerSpec in other words. Vagrant and Docker provisioners are supported.
 $ pdk bundle exec rake 'litmus:provision[docker, centos:7]'
 $ pdk bundle exec rake litmus:install_agent
 $ pdk bundle exec rake litmus:install_module
 $ pdk bundle exec rake litmus:acceptance:parallel
 $ pdk bundle exec rake litmus:tear_down • https://github.com/puppetlabs/puppet_litmus/
What to deploy • main manifests directory • site modules (roles & profiles) • hiera config & data • external modules • environment.conf • [environment version script]
How to deploy • Old'n'good scp/rsync from CI/CD server • Build code & modules archive by CI/CD pipeline and upload to an artefacts storage. Then notify masters to fetch and deploy it. r10k tool may be useful here. • Any way you'd like actually. Environment is just directory on Puppet server.
Workflow example 1/3 •git checkout -b feature_branch • <edit files> • <run local checks> •git push --set-upstream origin feature_branch • CI/CD server run lint/syntax checks and unit/integration/ acceptance tests • CI/CD server deploy feature_branch on Puppet server as 'feature_branch' environment
Workflow example 2/3 • Go to the server your changes are intended for •puppet agent --test --environment feature_branch --noop •puppet agent --test --environment feature_branch
Workflow example 3/3 • Make pull request/merge request into your control repo • Ask your teammates for review • Merge your changes to production branch and allow CI/ CD pipeline to deploy it to Puppet server • Wait some time for changes to be applied across the fleet • Enjoy :)
Secrets
How to keep your secrets • show_diff => false • Sensitive type • Deferred calls (using Hachicorp Vault e.g.) • node_encrypt module (https://forge.puppet.com/ binford2k/node_encrypt) • eyaml Hiera backend • Hashicorp Vault Hiera backend
Orchestration
Orchestration • Ansible :-D • Puppet Bolt (https://puppet.com/docs/bolt/) • MCollective (obsoleted) • Choria (https://choria.io/)
Choria Orchestration framework
Choria •mco facts os.distro.description
 •mco rpc service status service=puppetserver -I / puppetserver[0-9].tld/
 •mco filemgr --file /etc/puppetlabs/puppet/puppet.conf status -C role ::default -F trusted.extensions.pp_product=devops
Choria $ mco facts kernelrelease -F trusted.extensions.pp_environment=qa Report for fact: kernelrelease 4.15.0-1066-azure found 1 times 4.15.0-1069-azure found 3 times 4.15.0-1071-azure found 31 times Finished processing 35 / 35 hosts in 37.75 ms
Choria playbooks plan spd ::opentsdb ::restart ( String $product, Enum['qa', 'prod'] $env, String $role, Boolean $reboot = false, Boolean $silent = false, Boolean $noop = false, ) { # Discover opentsdb cluster nodes $nodes = choria ::discover( discovery_method => 'choria', classes => [ $role ], facts => [ "trusted.extensions.pp_product=${product}", "trusted.extensions.pp_environment=${env}", ], test => true, ) # Check cluster state unless choria ::run_playbook('spd ::opentsdb ::check_health', targets => $nodes, silent => $silent, ) { fail('Cluster is not healthy!') } https://choria.io/docs/playbooks/ $sorted_nodes = $nodes.sort # Restart every node in order $sorted_nodes.each |$node| { choria ::run_playbook('spd ::util ::restart_node', target => $node, service_name => 'opentsdb', silent => $silent, reboot => $reboot, noop => $noop, ) # Check cluster state unless choria ::run_playbook('spd ::opentsdb ::check_health', targets => $sorted_nodes, silent => $silent, ) { fail("Node ${node} is failed! Please check cluster health!") } # Temporary safeguard unless $noop { reboot ::sleep(30) } } $sorted_nodes }
Choria playbooks $ mco playbook run spd ::opentsdb ::restart --modulepath /etc/ puppetlabs/code/environments/production/modules --product abc --env qa --role role ::opentsdb --silent --reboot
In-house development • PDK-managed control repo with useful Rake tasks • Vault PKI certificates management tool (can check cert expiration and issue new cert in PEM and PKCS12 formats) • Choria 'query' agent (can query prometheus exporter and REST url for data in a playbook) • Choria Kafka/Cassandra/Elasticsearch/OpenTSDB/RabbitMQ* rolling reboot playbooks • Kafka topic management Puppet provider* * under development now
What's beyond?
Immutable infrastructure
Immutable infra in short words • Manage VM images instead of VMs • Recreate whole VM when things are changed
Immutable infra questions • What to do with persistent data? • How to customise image on boot (host-dependent settings)? • What about orchestration?
Thank you!
Q & A Yury Bushmelev Twitter: @jay7t Github: jay7x https://www.linkedin.com/in/yuribushmelev

Empfohlen

Puppet: From 0 to 100 in 30 minutes
Puppet: From 0 to 100 in 30 minutesPuppet: From 0 to 100 in 30 minutes
Puppet: From 0 to 100 in 30 minutes
Alessandro Franceschi
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next level
Alessandro Franceschi
 
Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Bootstrapping Puppet and Application Deployment - PuppetConf 2013Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Puppet
 
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Puppet
 
Tp install anything
Tp install anythingTp install anything
Tp install anything
Alessandro Franceschi
 
Augeas, swiss knife resources for your puppet tree
Augeas, swiss knife resources for your puppet treeAugeas, swiss knife resources for your puppet tree
Augeas, swiss knife resources for your puppet tree
Julien Pivotto
 
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & HadoopPuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
Walter Heck
 
Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutions
Alessandro Franceschi
 

Empfohlen

Puppet: From 0 to 100 in 30 minutes
Puppet: From 0 to 100 in 30 minutesPuppet: From 0 to 100 in 30 minutes
Puppet: From 0 to 100 in 30 minutes
Alessandro Franceschi
 
Puppet control-repo 
to the next level
Puppet control-repo 
to the next levelPuppet control-repo 
to the next level
Puppet control-repo 
to the next level
Alessandro Franceschi
 
Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Bootstrapping Puppet and Application Deployment - PuppetConf 2013Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Bootstrapping Puppet and Application Deployment - PuppetConf 2013
Puppet
 
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Testing for Ops: Going Beyond the Manifest - PuppetConf 2013
Puppet
 
Tp install anything
Tp install anythingTp install anything
Tp install anything
Alessandro Franceschi
 
Augeas, swiss knife resources for your puppet tree
Augeas, swiss knife resources for your puppet treeAugeas, swiss knife resources for your puppet tree
Augeas, swiss knife resources for your puppet tree
Julien Pivotto
 
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & HadoopPuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
PuppetCamp SEA 1 - Using Vagrant, Puppet, Testing & Hadoop
Walter Heck
 
Puppet evolutions
Puppet evolutionsPuppet evolutions
Puppet evolutions
Alessandro Franceschi
 
Puppet modules: A Holistic Approach - Geneva
Puppet modules: A Holistic Approach - GenevaPuppet modules: A Holistic Approach - Geneva
Puppet modules: A Holistic Approach - Geneva
Alessandro Franceschi
 
Puppet getting started by Dirk Götz
Puppet getting started by Dirk GötzPuppet getting started by Dirk Götz
Puppet getting started by Dirk Götz
NETWAYS
 
Puppet for SysAdmins
Puppet for SysAdminsPuppet for SysAdmins
Puppet for SysAdmins
Puppet
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
Pablo Godel
 
Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014
Mandi Walls
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
Alessandro Franceschi
 
Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?
Martin Alfke
 
Puppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitPuppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction Kit
Alessandro Franceschi
 
Puppet for Sys Admins
Puppet for Sys AdminsPuppet for Sys Admins
Puppet for Sys Admins
Puppet
 
Zabbix Console
Zabbix ConsoleZabbix Console
Zabbix Console
Ricardo Santos
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
Charles Nutter
 
Puppi. Puppet strings to the shell
Puppi. Puppet strings to the shellPuppi. Puppet strings to the shell
Puppi. Puppet strings to the shell
Alessandro Franceschi
 
Oliver hookins puppetcamp2011
Oliver hookins puppetcamp2011Oliver hookins puppetcamp2011
Oliver hookins puppetcamp2011
Puppet
 
Getting Started With Aura
Getting Started With AuraGetting Started With Aura
Getting Started With Aura
Chris Tankersley
 
Dockerize All The Things
Dockerize All The ThingsDockerize All The Things
Dockerize All The Things
Chris Tankersley
 
Auto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag StyleAuto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag Style
Robert Nelson
 
Puppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesPuppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in Modules
Martin Alfke
 
Puppet modules for Fun and Profit
Puppet modules for Fun and ProfitPuppet modules for Fun and Profit
Puppet modules for Fun and Profit
Alessandro Franceschi
 
Preppingthekitchen 1.0.3
Preppingthekitchen 1.0.3Preppingthekitchen 1.0.3
Preppingthekitchen 1.0.3
Sean OMeara
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.
Workhorse Computing
 
Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
DECK36
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
Walter Heck
 

Weitere ähnliche Inhalte

Was ist angesagt?

Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014
Mandi Walls
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
Charles Nutter
 

Was ist angesagt? (20)

Puppet modules: A Holistic Approach - Geneva
Puppet modules: A Holistic Approach - GenevaPuppet modules: A Holistic Approach - Geneva
Puppet modules: A Holistic Approach - Geneva
 
Puppet getting started by Dirk Götz
Puppet getting started by Dirk GötzPuppet getting started by Dirk Götz
Puppet getting started by Dirk Götz
 
Puppet for SysAdmins
Puppet for SysAdminsPuppet for SysAdmins
Puppet for SysAdmins
 
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony AppsSymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
SymfonyCon Madrid 2014 - Rock Solid Deployment of Symfony Apps
 
Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014Open Source Tools for Leveling Up Operations FOSSET 2014
Open Source Tools for Leveling Up Operations FOSSET 2014
 
Puppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLabPuppet Continuous Integration with PE and GitLab
Puppet Continuous Integration with PE and GitLab
 
Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?Can you upgrade to Puppet 4.x?
Can you upgrade to Puppet 4.x?
 
Puppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction KitPuppet Systems Infrastructure Construction Kit
Puppet Systems Infrastructure Construction Kit
 
Puppet for Sys Admins
Puppet for Sys AdminsPuppet for Sys Admins
Puppet for Sys Admins
 
Zabbix Console
Zabbix ConsoleZabbix Console
Zabbix Console
 
JavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for DummiesJavaOne 2012 - JVM JIT for Dummies
JavaOne 2012 - JVM JIT for Dummies
 
Puppi. Puppet strings to the shell
Puppi. Puppet strings to the shellPuppi. Puppet strings to the shell
Puppi. Puppet strings to the shell
 
Oliver hookins puppetcamp2011
Oliver hookins puppetcamp2011Oliver hookins puppetcamp2011
Oliver hookins puppetcamp2011
 
Getting Started With Aura
Getting Started With AuraGetting Started With Aura
Getting Started With Aura
 
Dockerize All The Things
Dockerize All The ThingsDockerize All The Things
Dockerize All The Things
 
Auto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag StyleAuto Deploy Deep Dive – vBrownBag Style
Auto Deploy Deep Dive – vBrownBag Style
 
Puppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in ModulesPuppet Camp Paris 2016 Data in Modules
Puppet Camp Paris 2016 Data in Modules
 
Puppet modules for Fun and Profit
Puppet modules for Fun and ProfitPuppet modules for Fun and Profit
Puppet modules for Fun and Profit
 
Preppingthekitchen 1.0.3
Preppingthekitchen 1.0.3Preppingthekitchen 1.0.3
Preppingthekitchen 1.0.3
 
Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.Shared Object images in Docker: What you need is what you want.
Shared Object images in Docker: What you need is what you want.
 

Ähnlich wie From SaltStack to Puppet and beyond...

OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
NETWAYS
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Puppet camp london nov 2014 slides (1)
Puppet camp london nov 2014 slides (1)Puppet camp london nov 2014 slides (1)
Puppet camp london nov 2014 slides (1)
Puppet
 

Ähnlich wie From SaltStack to Puppet and beyond... (20)

Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)Our Puppet Story (GUUG FFG 2015)
Our Puppet Story (GUUG FFG 2015)
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
PuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of PuppetPuppetCamp SEA 1 - Use of Puppet
PuppetCamp SEA 1 - Use of Puppet
 
Nagios Conference 2014 - Mike Merideth - The Art and Zen of Managing Nagios w...
Nagios Conference 2014 - Mike Merideth - The Art and Zen of Managing Nagios w...Nagios Conference 2014 - Mike Merideth - The Art and Zen of Managing Nagios w...
Nagios Conference 2014 - Mike Merideth - The Art and Zen of Managing Nagios w...
 
20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw20100425 Configuration Management With Puppet Lfnw
20100425 Configuration Management With Puppet Lfnw
 
Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow Puppet Camp New York 2014: Streamlining Puppet Development Workflow
Puppet Camp New York 2014: Streamlining Puppet Development Workflow
 
Steamlining your puppet development workflow
Steamlining your puppet development workflowSteamlining your puppet development workflow
Steamlining your puppet development workflow
 
Packaging perl (LPW2010)
Packaging perl (LPW2010)Packaging perl (LPW2010)
Packaging perl (LPW2010)
 
Experiences from Running Masterless Puppet - PuppetConf 2014
Experiences from Running Masterless Puppet - PuppetConf 2014Experiences from Running Masterless Puppet - PuppetConf 2014
Experiences from Running Masterless Puppet - PuppetConf 2014
 
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...
 
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
Configuration Management in the Cloud - Cloud Phoenix Meetup Feb 2014
 
Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote Puppet Camp Boston 2014: Keynote
Puppet Camp Boston 2014: Keynote
 
Puppet at Bazaarvoice
Puppet at BazaarvoicePuppet at Bazaarvoice
Puppet at Bazaarvoice
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Toplog candy elves - HOCM Talk
Toplog candy elves - HOCM TalkToplog candy elves - HOCM Talk
Toplog candy elves - HOCM Talk
 
Taking Spinnaker for a spin @ London DevOps Meetup 36
Taking Spinnaker for a spin @ London DevOps Meetup 36Taking Spinnaker for a spin @ London DevOps Meetup 36
Taking Spinnaker for a spin @ London DevOps Meetup 36
 
Puppet camp london nov 2014 slides (1)
Puppet camp london nov 2014 slides (1)Puppet camp london nov 2014 slides (1)
Puppet camp london nov 2014 slides (1)
 
Improving Operations Efficiency with Puppet
Improving Operations Efficiency with PuppetImproving Operations Efficiency with Puppet
Improving Operations Efficiency with Puppet
 
Can puppet help you run docker on a T2.Micro?
Can puppet help you run docker on a T2.Micro?Can puppet help you run docker on a T2.Micro?
Can puppet help you run docker on a T2.Micro?
 
DCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production ParityDCRUG: Achieving Development-Production Parity
DCRUG: Achieving Development-Production Parity
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

From SaltStack to Puppet and beyond...

  • 1. From SaltStack to Puppet and beyond... Yury Bushmelev SP Digital
  • 2. What is the scale? • Over 100 developers • A lot of products • Just 6 ppl in Digital Infra team at the moment • About 200 VMs in Azure cloud
  • 3. What's wrong with Salt? From teamwork/long-term support perspective: • It's feels inconsistent • It's error prone and hard to debug • It's YAML • It's Jinja2 on top of YAML • It's impossible to lint • It's impossible to unit-test
  • 4. Why Puppet? • I'll explain during my talk :-D
  • 5. Why Puppet? From teamwork/long-term support perspective: • Agent • Domain Specific Language (declarative!) • Lint/Syntax checks • RSpec for unit tests, ServerSpec for acceptance tests • Hiera (hierarchical database, auto-lookup) • Ruby ecosystem (gems!)
  • 7. But I heard/experienced... • Puppet is complex/hard to learn/hard to use • Infra code development is slower with Puppet • ... ?
  • 9. Puppet is about the state!
  • 10. Puppet is about the state • The code you write in Puppet DSL (your manifests) is compiled by Puppet master into the catalog • Catalog is a document describing the desired state of every managed resource on a node • Agent on a node will call its providers to bring the node to desired state according to catalog records https://puppet.com/docs/puppet/latest/subsystem_catalog_compilation.html#the-catalog-compilation-process
  • 11. Puppet is about the state Again: • It's NOT sequence of steps to bring system to the state! • It IS the state!
  • 12. Puppet is about the state That's why e.g.: • You cannot easily move/rename file on a node's filesystem if you're not managing it • You cannot easily read a file from a node to use it in your manifest* • You cannot just execute a binary on a node then do something depending on the result* * Though you may use facts for this
  • 13. Puppet is about the state • You must take care when renaming/moving things: • Ensure old resource is absent • Ensure new resource is present • It's usually good to keep both in the state for a while
  • 14. Puppet is about the state of a node • You cannot easily do changes on multiple nodes in defined order (do Kafka cluster rolling upgrade e.g.) using just Puppet* * Though you may do it using orchestration tool!
  • 15. How to use Puppet in painless way
  • 16. VCS & CI/CD FTW!
  • 17. Control repo [Git] repository where your Puppet manifests resides... ... and hiera data ... and unit/integration/acceptance tests ... and more
  • 18. Control repo examples • Puppetlab: https://github.com/puppetlabs/control-repo • Azalio: https://github.com/azalio/control-repo • PSICK: https://github.com/example42/psick
  • 19. Roles & Profiles • Role is... just VM "role" (e.g. PostgreSQL server, Puppet master, Kafka broker, ...) • Node can have only one role • Role may contain multiple profiles • Role is not configurable (cannot take any parameters) • Profile is class describing single logical unit (e.g. docker, ssh, consul agent). Profile is configurable (can take parameters from Hiera e.g.). https://puppet.com/docs/pe/latest/the_roles_and_profiles_method.html
  • 21. But how to attach the role to the server? • Based on hostnames - do not use it (do not encode metadata in your hostnames) • Based on trusted facts (DO NOT use non-trusted facts for this) • Using External Node Classifier (ENC) • Hiera may be used as ENC
  • 22. –Puppet documentation “Hiera is a built-in key-value configuration data lookup system, used for separating data from Puppet code.” Hiera
  • 23. Hiera--- version: 5 defaults: # Used for any hierarchy level that omits these keys. datadir: data # This path is relative to hiera.yaml's directory. data_hash: yaml_data # Use the built-in YAML backend. hierarchy: - name: "Per-node data" # Human-readable name. path: "nodes/%{trusted.certname}.yaml" # File path, relative to datadir. - name: "Per-datacenter business group data" # Uses custom facts. path: "location/%{facts.whereami}/%{facts.group}.yaml" - name: "Global business group data" path: "groups/%{facts.group}.yaml" - name: "Per-OS defaults" path: "os/%{facts.os.family}.yaml" - name: "Common data" path: "common.yaml"
  • 24. Hiera data/common.yaml data/product data/product/devops_prod.yaml data/product/devops_qa.yaml data/os/RedHat-7.yaml data/os/Ubuntu-16.04.yaml data/os/Ubuntu-18.04.yaml data/node/puppetmaster.tld.yaml hiera.yaml - name: "Yaml backend" data_hash: yaml_data paths: - "node/%{trusted.certname}.yaml" - "product/%{product}_%{env}.yaml" - "os/%{facts.os.name}-%{facts.os.release.major}.yaml" - "os/%{facts.os.name}.yaml" - "common.yaml"
  • 25. Hiera automatic parameters lookup data/common.yaml profile ::container ::docker ::ensure: present profile ::container ::docker ::storage_driver: 'overlay2' profile ::container ::docker ::log_opts: 'max-size': '10m' /data/node/podmantest.tld.yaml profile ::container ::docker ::ensure: absent site-modules/profile/manifest/container/docker.pp # Install and configure docker class profile ::container ::docker ( Enum['absent', 'present'] $ensure = 'present', Optional[String] $storage_driver = undef, Optional[Hash] $log_opts = undef, ... ) { ... }
  • 26. CI/CD steps • Checkout the control repo (usually done by your CI/CD software) • Run syntax and style checks • Run unit tests/integration tests/acceptance tests • Deploy manifests and modules onto every Puppet server you have
  • 27. Puppet Development Kit • PDK provides integrated testing tools and a command line interface to help you develop, validate, and test modules.
 pdk new module <module_name>
 pdk validate
 pdk test unit • https://puppet.com/docs/pdk/1.x/pdk.html
  • 28. Puppet-lint • Check that your Puppet manifests conform to the style guide • https://github.com/rodjek/puppet-lint
  • 29. Puppet-syntax • Syntax checks for Puppet manifests and templates •puppet parser validate **/*.pp • https://github.com/voxpupuli/puppet-syntax
  • 30. RSpec-puppet • RSpec tests for your Puppet manifests • https://github.com/rodjek/rspec-puppet/
  • 31. Onceover • Onceover is a tool to automatically run basic tests on an entire Puppet controlrepo. • https://github.com/dylanratcliffe/onceover
  • 32. Puppet-litmus • Providing a simple command line tool for puppet content creators, to enable simple and complex test deployments • Puppet acceptance tests using ServerSpec in other words. Vagrant and Docker provisioners are supported.
 $ pdk bundle exec rake 'litmus:provision[docker, centos:7]'
 $ pdk bundle exec rake litmus:install_agent
 $ pdk bundle exec rake litmus:install_module
 $ pdk bundle exec rake litmus:acceptance:parallel
 $ pdk bundle exec rake litmus:tear_down • https://github.com/puppetlabs/puppet_litmus/
  • 33. What to deploy • main manifests directory • site modules (roles & profiles) • hiera config & data • external modules • environment.conf • [environment version script]
  • 34. How to deploy • Old'n'good scp/rsync from CI/CD server • Build code & modules archive by CI/CD pipeline and upload to an artefacts storage. Then notify masters to fetch and deploy it. r10k tool may be useful here. • Any way you'd like actually. Environment is just directory on Puppet server.
  • 35. Workflow example 1/3 •git checkout -b feature_branch • <edit files> • <run local checks> •git push --set-upstream origin feature_branch • CI/CD server run lint/syntax checks and unit/integration/ acceptance tests • CI/CD server deploy feature_branch on Puppet server as 'feature_branch' environment
  • 36. Workflow example 2/3 • Go to the server your changes are intended for •puppet agent --test --environment feature_branch --noop •puppet agent --test --environment feature_branch
  • 37. Workflow example 3/3 • Make pull request/merge request into your control repo • Ask your teammates for review • Merge your changes to production branch and allow CI/ CD pipeline to deploy it to Puppet server • Wait some time for changes to be applied across the fleet • Enjoy :)
  • 39. How to keep your secrets • show_diff => false • Sensitive type • Deferred calls (using Hachicorp Vault e.g.) • node_encrypt module (https://forge.puppet.com/ binford2k/node_encrypt) • eyaml Hiera backend • Hashicorp Vault Hiera backend
  • 41. Orchestration • Ansible :-D • Puppet Bolt (https://puppet.com/docs/bolt/) • MCollective (obsoleted) • Choria (https://choria.io/)
  • 43. Choria •mco facts os.distro.description
 •mco rpc service status service=puppetserver -I / puppetserver[0-9].tld/
 •mco filemgr --file /etc/puppetlabs/puppet/puppet.conf status -C role ::default -F trusted.extensions.pp_product=devops
  • 44. Choria $ mco facts kernelrelease -F trusted.extensions.pp_environment=qa Report for fact: kernelrelease 4.15.0-1066-azure found 1 times 4.15.0-1069-azure found 3 times 4.15.0-1071-azure found 31 times Finished processing 35 / 35 hosts in 37.75 ms
  • 45. Choria playbooks plan spd ::opentsdb ::restart ( String $product, Enum['qa', 'prod'] $env, String $role, Boolean $reboot = false, Boolean $silent = false, Boolean $noop = false, ) { # Discover opentsdb cluster nodes $nodes = choria ::discover( discovery_method => 'choria', classes => [ $role ], facts => [ "trusted.extensions.pp_product=${product}", "trusted.extensions.pp_environment=${env}", ], test => true, ) # Check cluster state unless choria ::run_playbook('spd ::opentsdb ::check_health', targets => $nodes, silent => $silent, ) { fail('Cluster is not healthy!') } https://choria.io/docs/playbooks/ $sorted_nodes = $nodes.sort # Restart every node in order $sorted_nodes.each |$node| { choria ::run_playbook('spd ::util ::restart_node', target => $node, service_name => 'opentsdb', silent => $silent, reboot => $reboot, noop => $noop, ) # Check cluster state unless choria ::run_playbook('spd ::opentsdb ::check_health', targets => $sorted_nodes, silent => $silent, ) { fail("Node ${node} is failed! Please check cluster health!") } # Temporary safeguard unless $noop { reboot ::sleep(30) } } $sorted_nodes }
  • 46. Choria playbooks $ mco playbook run spd ::opentsdb ::restart --modulepath /etc/ puppetlabs/code/environments/production/modules --product abc --env qa --role role ::opentsdb --silent --reboot
  • 47. In-house development • PDK-managed control repo with useful Rake tasks • Vault PKI certificates management tool (can check cert expiration and issue new cert in PEM and PKCS12 formats) • Choria 'query' agent (can query prometheus exporter and REST url for data in a playbook) • Choria Kafka/Cassandra/Elasticsearch/OpenTSDB/RabbitMQ* rolling reboot playbooks • Kafka topic management Puppet provider* * under development now
  • 50. Immutable infra in short words • Manage VM images instead of VMs • Recreate whole VM when things are changed
  • 51. Immutable infra questions • What to do with persistent data? • How to customise image on boot (host-dependent settings)? • What about orchestration?
  • 53. Q & A Yury Bushmelev Twitter: @jay7t Github: jay7x https://www.linkedin.com/in/yuribushmelev