External node classification, the CFEngine way

External node classification,
the CFEngine way
The classification problem:
challenges and solutions
Marco Marongiu (@brontolinux)

View Slide

Acknowledgements
All the images and logos used in this presentation are shown
for didactic purposes only, in the belief that it constitutes a
fair use of these resources. I don't claim any right on the
images and products shown in this presentation.
If you are the owner of any material used in this presentation
and you believe that I am abusing it, please let me know and
I'll promptly remove it from all my sources.

View Slide

Agenda
➔
Why classification is critical
➔
Why classification is difficult
➔
How we can make it sane
➔
Final take-aways

View Slide

Part 1:
the problem

View Slide

!!!
!!!
!!!
!!!
!!!
!!!
!!!

View Slide

Configuration management
«Configuration Management is the process of
identifying and defining the items in the system,
controlling the change of these items throughout
their life-cycle, recording and reporting the status
of items and change requests, and verifying the
completeness and correctness of items»
-- IEEE Glossary of Software Engineering Terminology (Standard
729-1983)

View Slide

In configuration management
you don't apply a
configuration to
a system, you
rather apply it
to classes
of systems!

View Slide

Part 2:
challenges

View Slide

Exceptions
are the rule

View Slide

Generic settings, the same for all systems
Amsterdam
DNS server NTP server Syslog server SSH configs
Oslo
Other random exceptions
Seattle Iceland

View Slide

Internal classification doesn't scale
definitions
explosion
difficult
reporting
«The business should define what systems
belong in which classes. The Cfengine
administrator should build policy. Once
the Cfengine administrator is left to
manually defining classes within policy,
you become a bottleneck»
-- M.Svoboda, LinkedIn
human
bottleneck

View Slide

Definitions explosion
class1
exception1 exception2

View Slide

Reporting
✔ take an infrastructure of 30000 nodes (LinkedIn-size!)
✔ try to report on something using SSH in a loop
✔ if no problem happens, and it takes ~3s per server on
average, it takes 90000 seconds (>24h)
✔ if you do it with 10 parallel proceses, it's still 2.5h
✗ ...and you haven't started analysing the data yet
✗ ...and you haven't made it available to management yet
✗ ...and you need an up-to-date inventory of all nodes to
provide accurate results
✗ ...and since not everybody has SSH access to the nodes or
to the inventory, you are the only one (and the bottleneck)
who can make that report!
✗ ...and it's an ideal case!

View Slide

Your task is building policies,
not defining classes

View Slide

What if you had the ability to write a policy and
use a class within that policy -- but the business
could control which machines were associated
with that class external to Cfengine? [...] The
business can deploy an application to a machine,
and Cfengine automatically responds in its policy
because new classes have been set on the client
automatically. Other business units can create
classes of machines, and file a ticket for you to
implement XYZ against the class they created.
You are allowing your business to work the way it
wants to.
-- M.Svoboda, LinkedIn

View Slide

Part 3:
Solutions

View Slide

Infrastructure complexity
low complexity high complexity
Technical skills
well versed
non technical
Basic interface
&
basic backend
Basic interface
&
sophisticated
backend
Sophisticated
interface
&
sophisticated
backend
Sophisticated
interface
&
basic backend

View Slide

Puppet and ENC
An external node classifier is an arbitrary script
or application which can tell Puppet which
classes a node should have [...] that can be called
by puppet master; it doesn’t have to be written
in Ruby. Its only argument is the name of the
node to be classified, and it returns a YAML
document describing the node. [...] To tell puppet
master to use an ENC, you need to set two
configuration options: node_terminus has to be
set to “exec”, and external_nodes should have
the path to the executable.

View Slide

modules!
ENC in CFEngine means...

View Slide

The LinkedIn solution
M.Svoboda - LinkedIn
"Leveraging In-Memory Key Value Stores for Large-Scale Operations"

View Slide

our implementation: hENC
power &
simplicity
config info
in plain
text files
module
protocol
a simple
Perl script

View Slide

View Slide

CFEngine's module protocol
+activated_class
-cancelled_class
=my_var=my value
[email protected]_list={ 'list','of','4','values'}
=my_array[element]=value
@my_array[list]={ 'list','of','4','values'}

View Slide

#!/bin/sh
/bin/egrep -h ^[[email protected]+-] $* 2> /dev/null

View Slide

#!/usr/bin/perl
use strict ;
use warnings ;
my %class ; # classes container
my %variable ; # variables container
# Silence errors (e.g.: missing files)
close STDERR ;
while (my $line = <>) {
chomp $line ;
my ($setting,$id) =
( $line =~ m{^\s*([=\@+-])(.+)\s*$} ) ;
# line didn't match the module protocol
next if not defined $setting ;
# add a class
if ($setting eq '+') {
# $id is a class name, or should be.
$class{$id} = 1 ;
}
# undefine a class
if ($setting eq '-') {
# $id is a class name, or should be.
$class{$id} = -1 ;
}
# define a variable/list
if ($setting eq '=' or $setting eq '@') {
# $id is "variable = something", or should be
my ($varname) = ( $id =~ m{^(.+?)=} ) ;
$variable{$varname} = $line ;
}
# discard the rest
}
# print out classes
foreach my $classname (keys %class) {
print "+$classname\n" if $class{$classname} > 0 ;
print "-$classname\n" if $class{$classname} < 0 ;
}
# print variable/list assignments, the last one wins
foreach my $assignment (values %variable) {
print "$assignment\n" ;
}

View Slide

read
general
defaults
read
location
defaults
read
environment
defaults
read
node
settings

View Slide

oslo_public::
"enc_subdir"
policy => "overridable",
string => "$(enc_basedir)/pub" ;
on_private_net_only::
"enc_subdir"
string => "$(enc_basedir)/priv" ;
oslo::
"henclist"
slist => {
"$(enc_basedir)/_default_",
"$(enc_basedir)/_oslo_",
"$(enc_subdir)/_oslo_",
"$(enc_subdir)/$(sys.domain)/$(sys.fqhost)",
} ;
}environment-
dependent
settings
} general defaults
} location defaults
} environ. defaults

View Slide

methods:
"ENC"
comment => "External node classification",
usebundle => henc("site.henclist") ;
vars:
"motd_file"
string => "$(henc.motd_file)",
policy => "overridable" ;

View Slide

bundle agent henc(enclist_name) {
vars:
henc_has_list::
"enclist" slist => { "@($(enclist_name))" } ;
"enc_fullpath" slist => maplist("$(site.inputs)/$(this)","enclist") ;
"encargs" string => join(" ","enc_fullpath") ;
classes:
"henc_has_list" expression => isvariable("enclist_name") ;
"henc_has_args" expression => isvariable("encargs") ;
"henc_can_classify" and => { "henc_has_list","henc_has_args" } ;
files:
"$(site.lmodules)/henc"
comment => "Copy/update hierarchical merger",
copy_from => digest_cp("$(site.modules)/henc"),
perms => mog("0755","root","root") ;
henc_has_list::
"$(site.inputs)/$(enclist)"
comment => "Cache henc files locally",
copy_from => digest_cp("$(site.masterfiles)/$(enclist)") ;
commands:
henc_can_classify.!henc_classes_activated::
"$(site.lmodules)/henc"
comment => "Hierarchical classification for $(sys.fqhost)",
args => "$(encargs)",
classes => always("henc_classes_activated"),
module => "true" ;
}

View Slide

final take-aways
smart
classification
is crucial...
...but doesn't
need to be
complicated...
...unless your
infrastructure is.
sometimes,
even plain text
is good enough!

View Slide

View Slide

comments?
@brontolinux
[email protected]
http://syslog.me
http://no.linkedin.com/in/marcomarongiu/

View Slide

THANK
you

View Slide

External node classification, the CFEngine way

External node classification, the CFEngine way

Marco Marongiu

More Decks by Marco Marongiu

Other Decks in Technology

Featured

Transcript