$30 off During Our Annual Pro Sale. View Details »

Managing CoreOS with Puppet

Managing CoreOS with Puppet

A quick look at how to use Puppet with the CoreOS operating system. A little background on what configuration management really is, how to use Puppet on a container-centric operating system, and some of the advantages of doing so.

Gareth Rushgrove

December 06, 2016
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. (without introducing more risk)
    Managing CoreOS
    with Puppet
    Puppet
    Gareth Rushgrove
    What? Why? How?

    View Slide

  2. (without introducing more risk)
    @garethr

    View Slide

  3. (without introducing more risk)
    Gareth Rushgrove

    View Slide

  4. (without introducing more risk)
    What we’ll cover
    This talk

    View Slide

  5. - What is configuration management?
    - CoreOS and Config management?
    - Running Puppet on CoreOS
    - Useful super powers
    Gareth Rushgrove

    View Slide

  6. I’m assuming some knowledge of
    CoreOS and of Puppet (or similar tools)
    Gareth Rushgrove

    View Slide

  7. (without introducing more risk)
    LIVE DEMOS

    View Slide

  8. (without introducing more risk)
    Useful background
    What is Configuration
    Management?

    View Slide

  9. - 1950s research
    - 1960s 480 series
    - 1991 MIL-HDBK-61
    - 1998 ANSI-EIA-649
    Gareth Rushgrove

    View Slide

  10. - Identification
    - Control
    - Status accounting
    - Verification and audit
    Gareth Rushgrove
    Military Handbook Configuration Management Guidance MIL-HDBK-61B

    View Slide

  11. Configuration management verifies
    that a system is identified and
    documented in sufficient detail
    Gareth Rushgrove
    National Consensus Standard for Configuration Management EIA-649

    View Slide

  12. Configuration management verifies
    that a system performs as intended
    Gareth Rushgrove
    National Consensus Standard for Configuration Management EIA-649

    View Slide

  13. (without introducing more risk)
    The why
    But CoreOS and
    Config Management?

    View Slide

  14. Fleet unit files tend toward chaos
    Gareth Rushgrove
    Gabriel Monroy, CTO, Dies and CoreOS contributor


    View Slide

  15. Don't use cloud init for
    configuration management
    Gareth Rushgrove
    Gabriel Monroy, CTO, Dies and CoreOS contributor


    View Slide

  16. (without introducing more risk)
    900 line user data script!

    View Slide

  17. (without introducing more risk)
    With embedded YAML

    View Slide

  18. (without introducing more risk)
    and systemd unit files

    View Slide

  19. (without introducing more risk)
    jumanjihouse/puppet-on-coreos

    View Slide

  20. Cloud-init is fine for bootstrapping
    CoreOS, but sometimes you want to
    consolidate inventory data
    for all your hosts
    Gareth Rushgrove
    Paul Morgan, Architect, NYSE


    View Slide

  21. (without introducing more risk)
    École Polytechnique Fédérale
    de Lausanne

    View Slide

  22. Continuous (re)configuration: add
    or modify services without
    reinstalling or rebooting
    Gareth Rushgrove
    École Polytechnique Fédérale de Lausanne


    View Slide

  23. Specialized configuration of individual
    nodes when you really do need it.
    eg. gateway node with the physical
    Ethernet connection to the
    outside world
    Gareth Rushgrove
    École Polytechnique Fédérale de Lausanne


    View Slide

  24. (without introducing more risk)
    @billcloud_me

    View Slide

  25. (without introducing more risk)
    @GarciaXuxo

    View Slide

  26. (without introducing more risk)
    When everything is a container
    How to run Puppet

    View Slide

  27. (without introducing more risk)
    Container-centric infrastrucure

    View Slide

  28. (without introducing more risk)
    Available on Docker Store

    View Slide

  29. (without introducing more risk)
    Talk driven development

    View Slide

  30. (without introducing more risk)
    Gareth Rushgrove
    Puppet in containers
    $ docker pull garethr/puppet-agent-coreos
    $ docker pull garethr/facter-coreos
    $ docker pull puppet/r10k

    View Slide

  31. (without introducing more risk)
    Gareth Rushgrove
    Helpful aliases
    alias puppet="docker run --rm --privileged \
    -v /tmp:/tmp -v /etc:/etc \
    -v /var:/var -v /usr:/usr \
    -v /var/run/dbus:/var/run/dbus \
    -v /run/systemd:/run/system \
    garethr/puppet-agent-coreos"

    View Slide

  32. (without introducing more risk)
    Gareth Rushgrove
    Facter
    $ facter os
    {
    architecture => "x86_64",
    family => "CoreOS",
    hardware => "x86_64",
    name => "CoreOS",
    release => {
    full => "1185.3.0",
    major => "1185",
    minor => "3"
    },
    selinux => {

    View Slide

  33. (without introducing more risk)
    Gareth Rushgrove
    Manage modules with r10k
    $ docker run -v /etc:/etc \
    -v /home/core/Puppetfile:/Puppetfile:ro \
    puppet/r10k puppetfile install --verbose \
    --moduledir /etc/puppetlabs/code/modules

    View Slide

  34. (without introducing more risk)
    Gareth Rushgrove
    Puppet resource
    $ puppet resource service etcd
    service { 'etcd':
    ensure => 'stopped',
    enable => 'true',
    }
    $ puppet resource service etcd ensure=running
    $ sudo systemctl status etcd
    etcd.service - etcd
    Loaded: loaded (/usr/lib/systemd/system/etcd.service; static;
    disabled)
    Active: active (running) since Fri 2016-12-02 16:36:13 UTC; 5

    View Slide

  35. (without introducing more risk)
    LIVE DEMOS

    View Slide

  36. (without introducing more risk)
    Nice hack, now what?
    New things you can do

    View Slide

  37. Obviously you can manage your
    users, groups, services, ssh-keys,
    DNS, etc. using Puppet
    Gareth Rushgrove

    View Slide

  38. You can have a consistent user
    interface across your CoreOS and
    non-CoreOS hosts
    Gareth Rushgrove
    (In larger organisations this can make it easier to introduce a new OS like CoreOS too)

    View Slide

  39. (without introducing more risk)
    No SSH

    View Slide

  40. (without introducing more risk)
    Inventory with PuppetDB

    View Slide

  41. (without introducing more risk)
    Gareth Rushgrove
    Puppet Query Language
    inventory { facts.os.name = "CoreOS" }

    View Slide

  42. (without introducing more risk)
    Gareth Rushgrove
    Nodes not running latest
    nodes[certname] { facts.osfamily = "CoreOS" and
    !(facts.os.release = "1185.3.0") }

    View Slide

  43. (without introducing more risk)
    Gareth Rushgrove
    More complex queries
    inventory { facts.osfamily = "CoreOS" and
    facts.datacentre = "Lon1" and
    resources { type = "Service" and
    title = "etcd" and
    parameters.ensure = "stopped" } }

    View Slide

  44. (without introducing more risk)
    Visibility and dashboards

    View Slide

  45. (without introducing more risk)
    Questions?
    And thanks for listening

    View Slide