Managing CoreOS with Puppet

Transcript

1. (without introducing more risk) Managing CoreOS with Puppet Puppet Gareth

   Rushgrove What? Why? How?

2. (without introducing more risk) @garethr

3. (without introducing more risk) Gareth Rushgrove

4. (without introducing more risk) What we’ll cover This talk

5. - What is configuration management? - CoreOS and Config management?

   - Running Puppet on CoreOS - Useful super powers Gareth Rushgrove

6. I’m assuming some knowledge of CoreOS and of Puppet (or

   similar tools) Gareth Rushgrove

7. (without introducing more risk) LIVE DEMOS

8. (without introducing more risk) Useful background What is Configuration Management?

9. - 1950s research - 1960s 480 series - 1991 MIL-HDBK-61

   - 1998 ANSI-EIA-649 Gareth Rushgrove

10. - Identification - Control - Status accounting - Verification and

    audit Gareth Rushgrove Military Handbook Configuration Management Guidance MIL-HDBK-61B

11. Configuration management verifies that a system is identified and documented

    in sufficient detail Gareth Rushgrove National Consensus Standard for Configuration Management EIA-649

12. Configuration management verifies that a system performs as intended Gareth

    Rushgrove National Consensus Standard for Configuration Management EIA-649

13. (without introducing more risk) The why But CoreOS and Config

    Management?

14. Fleet unit files tend toward chaos Gareth Rushgrove Gabriel Monroy,

    CTO, Dies and CoreOS contributor “ ”

15. Don't use cloud init for configuration management Gareth Rushgrove Gabriel

    Monroy, CTO, Dies and CoreOS contributor “ ”

16. (without introducing more risk) 900 line user data script!

17. (without introducing more risk) With embedded YAML

18. (without introducing more risk) and systemd unit files

19. (without introducing more risk) jumanjihouse/puppet-on-coreos

20. Cloud-init is fine for bootstrapping CoreOS, but sometimes you want

    to consolidate inventory data for all your hosts Gareth Rushgrove Paul Morgan, Architect, NYSE “ ”

21. (without introducing more risk) École Polytechnique Fédérale de Lausanne

22. Continuous (re)configuration: add or modify services without reinstalling or rebooting

    Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”

23. Specialized configuration of individual nodes when you really do need

    it. eg. gateway node with the physical Ethernet connection to the outside world Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”

24. (without introducing more risk) @billcloud_me

25. (without introducing more risk) @GarciaXuxo

26. (without introducing more risk) When everything is a container How

    to run Puppet

27. (without introducing more risk) Container-centric infrastrucure

28. (without introducing more risk) Available on Docker Store

29. (without introducing more risk) Talk driven development

30. (without introducing more risk) Gareth Rushgrove Puppet in containers $

    docker pull garethr/puppet-agent-coreos $ docker pull garethr/facter-coreos $ docker pull puppet/r10k

31. (without introducing more risk) Gareth Rushgrove Helpful aliases alias puppet="docker

    run --rm --privileged \ -v /tmp:/tmp -v /etc:/etc \ -v /var:/var -v /usr:/usr \ -v /var/run/dbus:/var/run/dbus \ -v /run/systemd:/run/system \ garethr/puppet-agent-coreos"

32. (without introducing more risk) Gareth Rushgrove Facter $ facter os

    { architecture => "x86_64", family => "CoreOS", hardware => "x86_64", name => "CoreOS", release => { full => "1185.3.0", major => "1185", minor => "3" }, selinux => {

33. (without introducing more risk) Gareth Rushgrove Manage modules with r10k

    $ docker run -v /etc:/etc \ -v /home/core/Puppetfile:/Puppetfile:ro \ puppet/r10k puppetfile install --verbose \ --moduledir /etc/puppetlabs/code/modules

34. (without introducing more risk) Gareth Rushgrove Puppet resource $ puppet

    resource service etcd service { 'etcd': ensure => 'stopped', enable => 'true', } $ puppet resource service etcd ensure=running $ sudo systemctl status etcd etcd.service - etcd Loaded: loaded (/usr/lib/systemd/system/etcd.service; static; disabled) Active: active (running) since Fri 2016-12-02 16:36:13 UTC; 5

35. (without introducing more risk) LIVE DEMOS

36. (without introducing more risk) Nice hack, now what? New things

    you can do

37. Obviously you can manage your users, groups, services, ssh-keys, DNS,

    etc. using Puppet Gareth Rushgrove

38. You can have a consistent user interface across your CoreOS

    and non-CoreOS hosts Gareth Rushgrove (In larger organisations this can make it easier to introduce a new OS like CoreOS too)

39. (without introducing more risk) No SSH

40. (without introducing more risk) Inventory with PuppetDB

41. (without introducing more risk) Gareth Rushgrove Puppet Query Language inventory

    { facts.os.name = "CoreOS" }

42. (without introducing more risk) Gareth Rushgrove Nodes not running latest

    nodes[certname] { facts.osfamily = "CoreOS" and !(facts.os.release = "1185.3.0") }

43. (without introducing more risk) Gareth Rushgrove More complex queries inventory

    { facts.osfamily = "CoreOS" and facts.datacentre = "Lon1" and resources { type = "Service" and title = "etcd" and parameters.ensure = "stopped" } }

44. (without introducing more risk) Visibility and dashboards

45. (without introducing more risk) Questions? And thanks for listening