Below are some useful notes from the course. Note these notes apply primarily to puppet enterprise, the standalone puppet version may not include all these features and/or may contain different syntax.
Also, the writing style applies more to note-taking rather than externally useful tech-tips.
Puppet Stack
- Puppet Master
- Puppet Agent
- node Classifier
Puppet Overview
Puppet enforces an expected/defined state. Rather than scripting how it will perform its config tasks, we configure what the system needs to look like. Puppet then audits the client system (via Puppet Agent) and compares this to the expected state. It performs corrective actions if there are any differences
Puppet Run
- Always initiated from Puppet Agent
- This may be remotely triggered via mcollective etc, but the transaction always flows from the Puppet Agent to the Puppet Master
- The Puppet Agent will perform an audit, collecting "facter" data about the local system.
- facter data stored in JSON
- The facter data is sent to the Puppet Master and the catalogue pulled from the master
- The facter data is compared to the catalogue (expected config)
- If the Puppet Master is not contactable, the most recent catalogue (from last successful puppet run) is cached on the agent and used for enforcement
- Puppet will then reconfigure the client system to match the catalogue information
- Even if a modification has been made to the client system between puppet runs, if the catalogue remains the same, the system will be 'reverted' back to catalogue defined state
- Puppet will only execute a configuration command (i.e. "make a change" if it detects that a config needs to be applied. it uses a heap of if statements. This means if it detects only 1 change out of 100 attributes, it doesn't need to "apply 100 confiuration parameters", it simply applies the single parameter it needs to
Some useful syntax
puppet agent -t --> Will perform a full run and make changes if required
puppet agent --noop --> will not make changes, only reports what it finds (e.g. what differences exist)
puppet agent --environment {env} --> Will allow you to test a catalogue by specifying the environment to emulate.
Group Classifications
A series of groups can be defined to classify agents.
Classes will check facter parameters and any systems whose facters match those defined in a class will become members of that class.
- e.g. a class with "fqdn = *puppetlabs.vm" will include all systems on puppetlabs.vm domain
Regular Expressions
Ruby regular expression handling
regex can be used for matching nodes in node classifiers etc.
Multiple matches (e.g. in node classifier)
Classifications are read down sequentially. For instance
node /compan/ {
...
}
node /company.local/ {
...
}
node "node2.company.local" {
...
}
For "node1.company.local", the first one will be matched and the second one ignored
However, if an explicit string match occurs (e.g. "node2.company.local") then the regex statements are ignored and the explicit match statement is applied.
Puppet 2015 changes
Path on puppet master for installed modules is different
Forge
A Puppet Forge is a public/online repository of puppet modules.
Private Forge
See
http://terrarum.net/blog/puppet-infrastructure-with-r10k.html
For an example on setting up a local/private Forge
Querying Puppet Resources locally
root@robbie:~ # puppet resource user robbie
user { 'robbie':
ensure => 'present',
gid => '503',
home => '/home/robbie',
password => '$1$VglmTN0g$rh56m0UTUNLTHzxCeii3x0',
password_max_age => '99999',
password_min_age => '0',
shell => '/bin/bash',
uid => '503',
}
Would display the attributes for the object "robbie"in local users. This doesn't query facter, it looks directly at the local system.
puppet resource -e user robbie
(edit the options in your editor)
root@robbie:~ # puppet resource -e user robbie
Info: Loading facts
Notice: Compiled catalog for robbie.puppetlabs.vm in environment production in 0.35 seconds
Info: Applying configuration version '1440464985'
Notice: /Stage[main]/Main/User[robbie]/shell: shell changed '/bin/bash' to '/bin/sh'
Notice: Applied catalog in 0.06 seconds
Also Puppet Describe will help
[master]root@robbie:~/puppetcode/modules # puppet describe --list
These are the types known to puppet:
a2mod - .. no documentation ..
acl - Manages access control lists (ACLs)
anchor - A simple resource type intended to be used as ...
apt_key - This type provides Puppet with the capabiliti ...
augeas - Apply a change or an array of changes to the ...
computer - Computer object management using DirectorySer ...
... (not all are shown)
Error Codes & general hints
root@robbie:~ # puppet agent -t
Exiting; no certificate found and waitforcert is disabled
This means the certificate hasn't been generated/accepted by the puppet master yet.
Check /etc/puppetlabs/puppet/ssl on the puppet master for pending certificates.
Try deleting the pending cert then running puppet agent -t
again
Puppet VErsion Compatibility
Puppet (core) is designed to be compatible with specific versions of Operating Systems. Puppet certifies compatibility (e.g. version 4.3.1 ==> Windows 7.4 )
Forge modules however are largely managed by the community and may not have support for newer versions of dependent packages/libraries/etc.
e.g. if John Smith writes a module in 2013 for CentOS 5 with rc startup, it might not work with systemd in CentOS 7
Puppet Code
https://docs.puppetlabs.com/references/latest/type.html
Very useful reference describing resource attributes etc.
puppet describe {resource}
e.g.
puppet describe user
Provides useful info on each resource
Within each JSON stanza,
${type} { 'robbie':
ensure => present, # Comments using hash symbol
gid => 'super',
home => '/home/robbie',
managehome => true,
password => '#!abj52f%sBp052', # encrypted password hash here
}
=>
Used for declaring attribute values,
Each attribute line needs to end with a comma
Classes
A Class is a simple collection of modules which are managed together. There are generally no "smarts" in classes, it is just a way of managing them as one logical unit
class users {
user {[ 'mary', 'bob']:
ensure => present,
}
}
This class would add two users, defined in an array within the module in the class.
Defining vs Declaring Classes
Like with python functions, classes can be defined without ever being invoked ("declared"). They cannot be invoked without first having been defined.
To declare a class, use
include {class}
e.g.
include users
Tree Structure
- pp syntax files containing classes need to reside in the directory
{class}/manifests/\*.pp
This location is hard coded into puppet, it knows where to find the files.
For instance,
root@robbie:~/puppetcode/modules # tree users
users
├── examples
│ └── init.pp
└── manifests
└── init.pp
Validating Code
puppet parser validate {path/to-code.pp}
Will tell you if there is a problem with syntax.
puppet apply {path/to-code.pp}
Will load the puppet syntax file
- Local tests such as these can be performed on a dev system without invoking the entire set of PROD puppet code. i.e. you could define a class for a new user and declare it, on the dev box, then check that it was created.
- Going even further, to perform CI tests on this, you could
- fire up a standard build of your environment (e.g. on AWS using a PROD AMI)
- define and declare the class
- perform application tests
- power down the VM