Pro Yearly is on sale from $80 to $50! »

Managing CoreOS with Puppet

Managing CoreOS with Puppet

A quick look at how to use Puppet with the CoreOS operating system. A little background on what configuration management really is, how to use Puppet on a container-centric operating system, and some of the advantages of doing so.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

December 06, 2016
Tweet

Transcript

  1. (without introducing more risk) Managing CoreOS with Puppet Puppet Gareth

    Rushgrove What? Why? How?
  2. (without introducing more risk) @garethr

  3. (without introducing more risk) Gareth Rushgrove

  4. (without introducing more risk) What we’ll cover This talk

  5. - What is configuration management? - CoreOS and Config management?

    - Running Puppet on CoreOS - Useful super powers Gareth Rushgrove
  6. I’m assuming some knowledge of CoreOS and of Puppet (or

    similar tools) Gareth Rushgrove
  7. (without introducing more risk) LIVE DEMOS

  8. (without introducing more risk) Useful background What is Configuration Management?

  9. - 1950s research - 1960s 480 series - 1991 MIL-HDBK-61

    - 1998 ANSI-EIA-649 Gareth Rushgrove
  10. - Identification - Control - Status accounting - Verification and

    audit Gareth Rushgrove Military Handbook Configuration Management Guidance MIL-HDBK-61B
  11. Configuration management verifies that a system is identified and documented

    in sufficient detail Gareth Rushgrove National Consensus Standard for Configuration Management EIA-649
  12. Configuration management verifies that a system performs as intended Gareth

    Rushgrove National Consensus Standard for Configuration Management EIA-649
  13. (without introducing more risk) The why But CoreOS and Config

    Management?
  14. Fleet unit files tend toward chaos Gareth Rushgrove Gabriel Monroy,

    CTO, Dies and CoreOS contributor “ ”
  15. Don't use cloud init for configuration management Gareth Rushgrove Gabriel

    Monroy, CTO, Dies and CoreOS contributor “ ”
  16. (without introducing more risk) 900 line user data script!

  17. (without introducing more risk) With embedded YAML

  18. (without introducing more risk) and systemd unit files

  19. (without introducing more risk) jumanjihouse/puppet-on-coreos

  20. Cloud-init is fine for bootstrapping CoreOS, but sometimes you want

    to consolidate inventory data for all your hosts Gareth Rushgrove Paul Morgan, Architect, NYSE “ ”
  21. (without introducing more risk) École Polytechnique Fédérale de Lausanne

  22. Continuous (re)configuration: add or modify services without reinstalling or rebooting

    Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”
  23. Specialized configuration of individual nodes when you really do need

    it. eg. gateway node with the physical Ethernet connection to the outside world Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”
  24. (without introducing more risk) @billcloud_me

  25. (without introducing more risk) @GarciaXuxo

  26. (without introducing more risk) When everything is a container How

    to run Puppet
  27. (without introducing more risk) Container-centric infrastrucure

  28. (without introducing more risk) Available on Docker Store

  29. (without introducing more risk) Talk driven development

  30. (without introducing more risk) Gareth Rushgrove Puppet in containers $

    docker pull garethr/puppet-agent-coreos $ docker pull garethr/facter-coreos $ docker pull puppet/r10k
  31. (without introducing more risk) Gareth Rushgrove Helpful aliases alias puppet="docker

    run --rm --privileged \ -v /tmp:/tmp -v /etc:/etc \ -v /var:/var -v /usr:/usr \ -v /var/run/dbus:/var/run/dbus \ -v /run/systemd:/run/system \ garethr/puppet-agent-coreos"
  32. (without introducing more risk) Gareth Rushgrove Facter $ facter os

    { architecture => "x86_64", family => "CoreOS", hardware => "x86_64", name => "CoreOS", release => { full => "1185.3.0", major => "1185", minor => "3" }, selinux => {
  33. (without introducing more risk) Gareth Rushgrove Manage modules with r10k

    $ docker run -v /etc:/etc \ -v /home/core/Puppetfile:/Puppetfile:ro \ puppet/r10k puppetfile install --verbose \ --moduledir /etc/puppetlabs/code/modules
  34. (without introducing more risk) Gareth Rushgrove Puppet resource $ puppet

    resource service etcd service { 'etcd': ensure => 'stopped', enable => 'true', } $ puppet resource service etcd ensure=running $ sudo systemctl status etcd etcd.service - etcd Loaded: loaded (/usr/lib/systemd/system/etcd.service; static; disabled) Active: active (running) since Fri 2016-12-02 16:36:13 UTC; 5
  35. (without introducing more risk) LIVE DEMOS

  36. (without introducing more risk) Nice hack, now what? New things

    you can do
  37. Obviously you can manage your users, groups, services, ssh-keys, DNS,

    etc. using Puppet Gareth Rushgrove
  38. You can have a consistent user interface across your CoreOS

    and non-CoreOS hosts Gareth Rushgrove (In larger organisations this can make it easier to introduce a new OS like CoreOS too)
  39. (without introducing more risk) No SSH

  40. (without introducing more risk) Inventory with PuppetDB

  41. (without introducing more risk) Gareth Rushgrove Puppet Query Language inventory

    { facts.os.name = "CoreOS" }
  42. (without introducing more risk) Gareth Rushgrove Nodes not running latest

    nodes[certname] { facts.osfamily = "CoreOS" and !(facts.os.release = "1185.3.0") }
  43. (without introducing more risk) Gareth Rushgrove More complex queries inventory

    { facts.osfamily = "CoreOS" and facts.datacentre = "Lon1" and resources { type = "Service" and title = "etcd" and parameters.ensure = "stopped" } }
  44. (without introducing more risk) Visibility and dashboards

  45. (without introducing more risk) Questions? And thanks for listening