puppet camp paris 2014: highly available puppet : automate the deployment of new masters - guillaume...
DESCRIPTION
"Highly available Puppet : Automate the deployment of new masters" presented at Puppet Camp Paris 2014 by Guillaume Espanel, Objectif LibreTRANSCRIPT
Highly available Puppet : automate thedeployment of new masters
Puppet Camp Paris
Guillaume Espanel April 8th 2014
Guillaume EspanelI do devops at Objectif LibreLinux "background"Eager to learn new technologies
Objectif LibreFrench Open Source company specialized in Linux Infrastructure:
Setting up / auditManagementTraining
Big focused on modern and innovative tools :Parc management (Puppet and GLPI)Virtualization (KVM, LXC, OpenStack..)
The problemInfrastructures either grow or die.
The problemPuppet needs to grow with it !
Solutions Outline
Use Puppet to deploy new mastersSynchronize manifests and modules with r10kSetup a load balancing system : either SRV records or areverse proxy
Solutions Outline
Deploying new mastersWhat is a Puppetmaster
HTTPS server and Puppetmaster codeManifests and modulesCertificates and a CRL
A Puppetmaster is also a Puppet agent.
Deploying new mastersCreating a new masterWe want to take a server and turn it into a fully functionnal master.
Deploying new mastersGet certified!A good master certificate is usually valid for :
hostname.example.compuppet.example.comhostnamepuppet
Deploying new mastersButAn agent certificate is only valid for its own name. We have to regeneratea nice mastergrade certificate.This is hard to automate since Puppet needs a signed certificate in orderto receive a catalog.
Deploying new mastersSolutionChange dns_alt_names before running the agent :[main]# ...dns_alt_names = puppet,puppet.example.com# ...
Deploying new mastersInstalling the master roleThe secondary masters should not act as certificate authorities.Other than that, secondary masters are identical with the primary one.That means we have to take care of setting up the PuppetDB connection,the ENC, the reports processors, hiera ...
Deploying new mastersExample manifest$is_primary_master = false$dashboard_host = 'dashboard.example.com:3000'$storeconfigs_dbserver = 'puppetmaster1.example.com'
class{'::puppet::master': ca => false, reports => 'http', reporturl => "http://${dashboard_host}/reports/upload", storeconfigs => true, storeconfigs_dbserver => $storeconfigs_dbserver, ssl_cert => "/var/lib/puppet/ssl/certs/${::clientcert}.pem", ssl_key => "/var/lib/puppet/ssl/private_keys/${::clientcert}.pem", ssl_chain => '/var/lib/puppet/ssl/certs/ca.pem', ssl_ca => '/var/lib/puppet/ssl/certs/ca.pem', ssl_crl => '/var/lib/puppet/ssl/crl.pem',}
class{'::puppet::agent': puppet_server => "puppet.example.com",}
Synchronizing the modules and manifestsThis part is identical on all our Puppet masters.We will use r10k to pull our configuration out of a git repository.
Synchronizing the modules and manifestsEnvironmentsr10k supports deploying multiple environments. For the sake of simplicity,we will only use a standard production environment.Our repository will only have a production branch.
Synchronizing the modules and manifestsWhat do we need?
A git repository containing the modules and manifestsr10k and its configuration
Synchronizing the modules and manifestsExample manifestclass {'::r10k': remote => '[email protected]:puppet/environments.git',}
Synchronizing the modules and manifestsPulling through SSHYou can use an ssh_config file in order to associate an identity file to thegit server :Host git.example.com IdentityFile ~/.ssh/puppetmaster.key
Synchronizing the modules and manifestsr10k autorunThe nice zack/r10k module ships with two ways of pulling theenvironments from the git repository :include r10k::prerun_command
orinclude r10k::mcollective
Synchronizing the modules and manifestsWhere do we go?By now, should have a running secondary master.We need to make it available for our nodes.
Mechanisms for load balancing and high availability
Classic web application load balancingSRV Records
Mechanisms for load balancing and high availabilityClassic scalingWith haproxy (or any other TCP proxy, really) :
1. Listen on port 8140 in TCP mode2. Roundrobin requests to the masters3. Point your puppet.example.com DNS record to the reverse
proxy4. ...5. PROFIT
Mechanisms for load balancing and high availabilityNoteWhen deploying new agents, make sure they contact the "main" masterfor CA stuff.[main]# ...ca_server = puppetmaster1.example.com
in the agent's puppet.conf
Mechanisms for load balancing and high availabilityHaproxy configurationThe configuration should go along these lines :listen puppetmaster 0.0.0.0:8140 mode tcp option ssl-hello-chk option tcplog balance source server inst1 puppetmaster1.example.com:8140 check inter 2000 fall 3 server inst2 puppetmaster2.example.com:8140 check inter 2000 fall 3
Mechanisms for load balancing and high availabilityPuppetizing haproxyPuppetlabs' haproxy module dooes a great job at configuring haproxy :On the reverse proxy :include haproxy
haproxy::listen{'puppetmaster': ipaddress => '0.0.0.0', ports => '8140', balance => 'source', options => ['ssl-hello-chk', 'tcplog'], mode => 'tcp',}
Mechanisms for load balancing and high availabilityPuppetizing haproxyAnd on each master :@@haproxy::balancermember{"${::clientcert}_8140": listening_service => 'puppetmaster', server_names => $::clientcert, ipaddresses => $::clientcert, ports => '8140', options => ['check inter 2000', 'fall 3'],}
Mechanisms for load balancing and high availabilityPuppetizing haproxyThe haproxy::listen resource will collect all thehaproxy::balancermember resources and add the new masters to thepool.
Mechanisms for load balancing and high availabilitySRV RecordsSRV is for serviceAn SRV record looks like this :_service._proto.name. TTL class SRV priority weight port target.
Mechanisms for load balancing and high availabilityPuppet SRV Records
_xpuppet._tcp.example.com. 1800 IN SRV 0 5 8140puppetmaster1.example.com._xpuppet._tcp.example.com. 1800 IN SRV 0 5 8140puppetmaster2.example.com.
This declares two masters on example.com with a weight of 5.
Mechanisms for load balancing and high availabilityWhat about the CA?Theres an SRV record for that :_xpuppetca._tcp.example.com. 86400 IN SRV 0 5 8140puppetmaster1.example.com.
Mechanisms for load balancing and high availabilityTell the agents to use the SRV recordsEdit their puppet.conf file :[main]# ...use_srv_records = truesrv_domain = example.com
Putting it all togetherWe wrote a nice ha_puppet module that takes care of
Setting up Puppet and PassangerInstalling and configuring r10kDeploying a reverse proxy
How to use itnode /̂puppetmaster\d+\.objectif-libre\.corp$/ {
class{'ha_puppet': server => 'puppet-main.objectif-libre.corp', proxy_listener => 'puppetproxy', repo_url => '[email protected]:ol/puppetops.git', }
}
node /̂puppetproxy\d+\.objectif-libre\.corp$/ {
class{'ha_puppet::proxy': proxy_listener => 'puppetproxy', }
}
Thanks and links@steverjuk :
@acidprime : objectiflibre/ha_puppet :
https://github.com/stephenrjohnson/puppetmodulehttps://github.com/acidprime/r10k
http://forge.puppetlabs.com/objectiflibre/ha_puppet
Questions ?Or later... guillaume.espanel@objectiflibre.com
Twitter: @objectiflibre