Puppet Camp Düsseldorf 2014: Puppet CA Certificates Explained
20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag
-
Upload
garrett-honeycutt -
Category
Technology
-
view
2.468 -
download
0
description
Transcript of 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag
![Page 1: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/1.jpg)
How Puppet fits into your existing architecture
2011-11-10Seattle, WA
SASAG
Garrett HoneycuttProfessional Services Consultant
[email protected]://linkedin.com/in/garretthoneycutt
![Page 2: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/2.jpg)
We are hiring
• Professional Services• Technical Training Manager• Operations Engineer
![Page 3: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/3.jpg)
Provisioning
http://i474.photobucket.com/albums/rr102/surmanm/10262008386.jpg
![Page 4: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/4.jpg)
No upgrades - just build new systems• solves issue of intermediate states
Provisioning
![Page 5: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/5.jpg)
Provisioning
Start from a known base!
![Page 6: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/6.jpg)
Provisioning
PXE• Provisions VM’s and Physical systems the same way
Cloudy API’s• May not be an option if you have physical hardware
![Page 7: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/7.jpg)
Provisioning
Cobbler• My favorite provisioning system for PXE• Handles tftp/dhcp/dns/repo’s• Namely for RedHat-ish systems, also supports
Solaris, Debian, and images (ie: memtest, windows, firmware upgrades, etc)
• http://github.com/ghoneycutt/puppet-cobbler
![Page 8: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/8.jpg)
Provisioning
Puppet CloudPack• Provision EC2 and VMWare systems• Uses fog (http://fog.io), so easily hackable
![Page 9: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/9.jpg)
Provisioning
Chicken and Egg with Software Repo’s• --tags repo• Preferred over run stages for simplicity and
portability in modules
![Page 10: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/10.jpg)
Provisioning
Certificate management• autosigning is your friend• can also pre-generate certs• gencert.php - uses reverse DNS
![Page 11: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/11.jpg)
External Node Classifier
Puppet Dashboard• source of truth for list of nodes• Add/Remove hosts through API - ties into
provisioning
![Page 12: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/12.jpg)
Package Management
Run your own Software Repositories• You control when package versions change• Packages are not mysteriously missing• Much faster provisioning
![Page 13: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/13.jpg)
Package Management
Version control your repositories• Does not mean you need to use a VCS• /data/repos/CentOS_5.5_Base symlink to /data/
repos/CentOS_5.5_Base-2011062700• Use hardlink(1) to deal with duplicate files
![Page 14: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/14.jpg)
Package Management
package {}• ensure => present or absent• no version #’s
![Page 15: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/15.jpg)
Package Management
no package { ‘foo’: ensure => latest }• not so homogeneous clusters while groups of
systems converge• ideally upgrades happen with rebuilds• upgrades are triggered out of band - MCollective
![Page 16: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/16.jpg)
Account Management
Use a directory service• LDAP• Active Directory
![Page 17: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/17.jpg)
Account Management
Role based access control• Groups get access, NOT users• Who is in what team can be delegated to HR/
management
![Page 18: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/18.jpg)
Account Management
/etc/security/access.conf• controls groups that may access the system• http://github.com/ghoneycutt/puppet-pam
![Page 19: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/19.jpg)
Account ManagementList users as virtual resources sorted by UID and realize as necessary
@common::mkuser { ‘apachehup’:
uid => ‘32001’,
gid => ‘32001’,
home => ‘/home/apachehup’,
managehome => true,
comment => ‘Apache Restart User’,
dotssh => true,
}
http://github.com/ghoneycutt/puppet-generic
![Page 20: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/20.jpg)
Data storage
Data?• information that your node serves or creates
![Page 21: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/21.jpg)
Data storage
Keep data stored off node• SAN / NAS / Cloudy store• rebuilt machines reconnect to your data
![Page 22: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/22.jpg)
Disposable Architecture
http://www.homelandsecureit.com/blog/wp-content/uploads/2011/02/Server_room_fire.jpg
![Page 23: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/23.jpg)
Disposable Architecture
http://www.linkedin.com/in/ericheydrick
![Page 24: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/24.jpg)
Disposable Architecture
• not how many systems are alive• service response times• % of anticipated capacity
![Page 25: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/25.jpg)
Disposable Architecture
Develop other metrics to determine system health • not how many systems are alive• response times• % of anticipated capacity
![Page 26: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/26.jpg)
Auto-scaling
Tying it together • (de)provision based on metrics
• capacity, response, etc
![Page 27: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/27.jpg)
How Puppet fits into your existing architecture
2011-11-10Seattle, WA
SASAG
Garrett HoneycuttProfessional Services Consultant
[email protected]://linkedin.com/in/garretthoneycutt
![Page 28: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/28.jpg)
Change Management with Puppet
2011-11-10Seattle, WA
SASAG
Garrett HoneycuttProfessional Services Consultant
[email protected]://linkedin.com/in/garretthoneycutt
![Page 29: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/29.jpg)
What?Change - “an event that results in a new status of one or more configuration items”[1]
[1] - http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library#Change_Management
![Page 30: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/30.jpg)
Why?
Environments are the same!
Dev == QA == Staging == ... == PROD
![Page 31: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/31.jpg)
Why?
Compliance with Change Management policies• CAB - Change Approval/Advisory Board• Different environments have different criteria for
passing to the next one
![Page 32: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/32.jpg)
Different Environments
Puppet Test Area -> Dev -> QA -> Prod
Each environment has different teams and sometimes conflicting goals
![Page 33: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/33.jpg)
Gate Examples
Puppet Test Area -> Dev• Dev’s agree/know of change
Dev -> QA• Dev’s have completed and self tested
QA -> Prod• QA team has verified systems• Ops is ready (has runbooks, monitoring setup, ... )
![Page 34: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/34.jpg)
Documentation and Policies
Understand your environments
• What are they?• What is their order of precedence?
• What are their SLA’s?• Who owns them?
![Page 35: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/35.jpg)
Documentation and Policies
Understand gating factors for change
• What are the gates between each environment?• Who approves them?• In what forum are they approved?
![Page 36: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/36.jpg)
VCS Structure (SVN view)
![Page 37: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/37.jpg)
VCS Structure (git view)
same as SVN except
• you do not have separate directories for• trunk• branches• tags
![Page 38: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/38.jpg)
VCS Structure
trunk / master• New code that is the best known working code• but still not very well tested ...
![Page 39: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/39.jpg)
VCS Structure
branches• short lived• use topical branches!• associate branches with ticket numbers, so you can
leverage your ticketing system to capture who is requesting changes and why
• avoid assigning branches to people as they tend to be long lived
![Page 40: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/40.jpg)
VCS Structure
tags• immutable (even if you can technically make
changes)• found that BIND style serials work quite well for
naming tags• 2011041300 would be the first tag on April 13th,
2011.
![Page 41: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/41.jpg)
Flow• Change request comes in (from your ticket system)• You create a branch from trunk/master that
corresponds with the request• Make changes to the branch• Merge the branch back into trunk/master• test against trunk/master• create a tag• associate that tag with the next environment all the
way through to Prod
![Page 42: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/42.jpg)
Flow
![Page 43: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/43.jpg)
Oops, we found a bug
• tags are immutable, remember?• create a brand new tag off of trunk/master• start the process from the beginning• short-cuts are more expensive
![Page 44: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/44.jpg)
Release Management
Multiple people making changes?• You need a release manager to be responsible for
merging from branches into trunk/master• Potentially rotate who holds this position
![Page 45: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/45.jpg)
Release Management
Multiple teams exchanging code?• Investigate using multiple module paths• Communication!
• private github - can facilitate cooperation
![Page 46: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/46.jpg)
Mailing List of changes
Create a mailing list for all changes• You can always ignore it• reach out to those writing poor code before they ask
you to merge it into trunk• svnmailer is great
![Page 47: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/47.jpg)
Testing trunk/masterCreate at least one representative system for each different type of system you model• Run these systems off the code in trunk/master• Before cutting a tag, rebuild all these systems from
scratch• further tests that relationships between resources
are working• proves you can actually provision a system from
scratch
![Page 48: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/48.jpg)
Approaches to testing branches
• Puppet’s understanding of environments is good for this
• Setup a different Puppet master per branch• Do not rely on a puppet master at all -- use puppet
apply and test locally
![Page 49: 20111110 how puppet-fits_into_your_existing_infrastructure_and_change_management_practices-sasag](https://reader035.fdocuments.in/reader035/viewer/2022081401/558e7f551a28ab9a0b8b4604/html5/thumbnails/49.jpg)
Change Management with Puppet
2011-11-10Seattle, WA
SASAG
Garrett HoneycuttProfessional Services Consultant
[email protected]://linkedin.com/in/garretthoneycutt