do you know all of puppet?
TRANSCRIPT
Do you know all of Puppet?
Julien Pivotto (@roidelapluie)
Budapest DevOps Meetup
April 23, 2017
$::userJulien Pivotto
@roidelapluie on irc/github/twitter
Puppet user since 2011 (Puppet 0.24)
VoxPupuli member (& security officer)
inuits
Scope(Ab)using Puppet
The Puppet community
Puppet DSL tips and tricks
Why?Puppet present in lots of places
There are lots of new exciting features
But the puppet DSL has a strong trunk
Many don't use all of its capacities
Using PuppetCreative Commons Attribution 2.0 https://www.flickr.com/photos/jimmcd/4859841581
Custom factsFACTER_bootstrap=true puppet agent test
Useful for 1-time facts, or overwriting existingfacts (e.g ipaddress) without code.
Custom facts (scripts)./mycustomscriptdatacenter=mydc
Custom facts (ruby)# Interrupt Remapping# http://www.novell.com/support/kb/doc.php?id=7014344# https://access.redhat.com/site/solutions/110053# https://access.redhat.com/site/solutions/722593
Facter.add("is_interrupt_remapping_broken") do confine :kernel => "Linux" setcode do output = Facter::Util::Resolution.exec( '/sbin/lspci nn | grep E \'8086:(340[36].*rev 13|3405.*rev (12|13|22))\'') if output.nil? or output.empty? result = false else result = true end result endend
The Puppet resource face$ puppet resource file /home/u/.vimrcfile { '/home/u/.vimrc': ensure => 'file', content => '{md5}d414e9800998ecf8427e', ctime => '20170425 11:01:05 +0100', group => '1000', mode => '0644', mtime => '20170425 15:02:03 +0100', owner => '1000', type => 'file',}$ puppet resource file .hushlogin mode=0755
PluginsyncIm modules:
lib/puppet/reports/prometheus.rblib/augeas/lenses/tmpfiles.aug
Share reports processors
Share augeas lenses
Share facts
Puppet as a CAEach Puppet agent has a certificate
It is used and maintained
It is easy to sign/generate
e.g.: The foreman
Tooling for your laptoppuppet parser validate
Built into puppet
find . -name "*.pp" -exec puppet parservalidate + ";"
Style and Best practicesPuppet-lint 2
Plugins:parameter_documentation
roles_and_profiles
package_ensure
unquoted_string
legacy_facts
many more...
The communityCreative Commons Attribution 2.0 https://www.flickr.com/photos/mrmystery/15868773733/
Puppet ModulesModules are awesome
They have clear API's
Easy to make code ready for everyone
Sharing is part of lots of Puppet usersmindset
The modules ecosystemPuppet Forge
Github
Puppet is agingLots of old, unmaintained modules
Modules not Puppet 4 compatibles
Modules untested
Modules without maintainers
The world evolves fastRuby versions, gems, change fast
Keeping an up to date public CI (with travis) ishard
But you don't need to change everymoduleseveryday ..
Vox PupuliCreative Commons Attribution-ShareAlike 4.0 https://github.com/voxpupuli/logos
What is Vox Pupuli?Vox Pupuli is a community
We are sysadmins/developers/... puppetusers
We share values
Started in 2014
What do we doWe share Puppet modules
We maintain them, improve them
We provide a nice home for Puppet modules
HowWe automate
We are experts (we use those modules)
We are an important group (98 people)
We enforce our Code of Conduct
Join us (with or without code)Open Pull requests (we have 118 repos)
Share your modules
Get in touch#voxpupuli on IRC
voxpupuli
http://github.com/voxpupuli
The Puppet DSLCreative Commons Attribution 2.0 https://www.flickr.com/photos/mujitra/4421810399
The Puppet DSLAwareness of its potential
Write less code
Avoid bad patterns
The File resourcefile { '/etc/motd' ensure => file, content => 'foobarbarfoofoobar',}
content => file()file { '/etc/motd': ensure => file, content => file("${module_name}/motd"),}
For small, text files (file content is in the catalog)
Since Puppet 3.7.0
validate_cmdfile { '/etc/corosync/corosync.conf': ensure => file, validate_cmd => '/usr/sbin/corosync t %',}
Verify the file before replacing it
Since Puppet 3.5.0Alternative in stdlib for older versions
show_difffile { '/etc/app/secrets': content => 'my secret content', show_diff => false,}
Since Puppet 3.2.1
replacefile { '/etc/installtime': content => template('date.erb'), replace => no,}
Since Puppet 0.19.0
backupfile { '/etc/hosts': content => template('hosts.erb'), backup => '.bak',}
Since a very long time...
sourcefile { '/etc/issue.net': source => '/etc/motd'}
Since a very long time...
autorequiresDon't do:
file { '/tmp':}
file { '/tmp/foo': require => File['/tmp'],}
because files auto-require their parents (andowners, groups...)
Since Puppet 0.10.2
other autorequiresExec, Cron require their users
Mount require its parents
Exec requires its File[cwd]
other autodependenciesresources types can implement autonotify andautosubscribe
(this is used in puppet-corosync)
Since Puppet 4.0.0
nooppackage { 'ntpd': ensure => latest, noop => true,}
noop is not only a global setting - it is also ametaparameter that can be applied to anyresource
Present since a very long time...
purging resourcesresources { 'cron': purge => true, noop => true,}
Present since Puppet 0.22.0Present since 3.5.0 (for cron resources)
exec triesexec { '/bin/wget 127.0.0.1': tries => 10, try_sleep => 1,}
Present since Puppet 2.6.0
arraysfile { '/usr/bin/sometimesexecutable': mode => ['0755', '0644'],}
Will accept both modes, and set 0755 if notmatching.Can be used with most of the properties.
Since Puppet 0.23.1
Requirementsdefine foo::bar { Package['foo'] > Foo::Bar[$name]}
Is the same as:
foo::bar {'barfoo': require => Package['foo'],}
AliasesInstead of:
file { "/tmp/foo/bar/bar.foo/foobar": ensure => file,}
service { 'barfoo': require => File['/tmp/foo/bar/bar.foo/foobar'],}
AliasesUse:
file {"/tmp/foo/bar/bar.foo/foobar": ensure => file, alias => 'foobar',}
service {'barfoo': require => File['foobar'],}
Since a very long time...
Loglevelexec { '/bin/mybrokenexec': loglevel => debug,}
Since Puppet 0.23.1
ConclusionCreative Commons Attribution 2.0 https://www.flickr.com/photos/wwworks/6320539775/
PuppetPuppet is in the sysadmins basic tools now
Tooling around it is great
Very active and mature community
Powerful DSL ; can handle many scenarios