Managed Puppet Servers

Transcript

1. Managed Puppet Servers Julian Meier November 2015

2. Julian Meier ICT System Engineer @ Swisscom [email protected] twitter.com/_juame github.com/juame

3. Idea & Goals • a small team (working in Luzern)

   • simple goal:
 automate tasks and help others within the company to do so
 (legacy - non-cloud services)

4. Puppet • every team wants to start with Puppet… •

   every team has different requirements… • several layers of responsibilities: • OS-Team —> root ;-) • Application Team —> sudo (list of commands)

5. Puppet … provide Automation Stack (Puppet):

6. Puppet

7. ENC - External Node Classifier Simple solution with YAML and

   Hiera
 (https://github.com/Zetten/puppet-hiera-enc): puppet.conf:
 [master]
 node_terminus = exec
 external_nodes = /etc/puppetlabs/code/enc/enclassifier git checkout —> Puppet Module: vcsrepo + script returns simple YAML + protects environment + future: use any other system…

8. Hieradata I hiera.yaml: --- :backends: - yaml - eyaml …

   :yaml: :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata … :eyaml: :datadir: /etc/puppetlabs/code/environments/%{environment}/hieradata :extension: eyaml :pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem :pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem

9. Hieradata II hiera.yaml: --- … :hierarchy: - secure/nodes/%{::clientcert} - secure/services/%{::service}/%{::stack}/%{::role}

   - secure/services/%{::service}/%{::stack} - secure/services/%{::service}/%{::role} - nodes/%{::clientcert} - services/%{::service}/%{::stack}/%{::role} - services/%{::service}/%{::stack} - services/%{::service}/%{::role} - services/%{::service} - locations/%{::location} - common

10. Hieradata III

11. Roles & Profiles How we do it…
 —> Roles are

    defined in Hiera
 —> Profiles are Puppet Modules
 (shared / service specific)
 —> Forge / Internal Modules site.pp:
 hiera_include('default_classes', [])
 hiera_include($role,[])
 role_repository_server.yaml:


12. Forge Module: ospuppet https://forge.puppetlabs.com/juame/ospuppet —> Manage Puppet Agent —> Manage

    Puppet Server —> Manage Puppet Master Configs Dependencies:
 - puppetlabs/inifile
 - puppetlabs/hocon

13. ospuppet class { ::ospuppet::server:
 package_version => '2.1.1-1.el7',
 service_running => true,


    service_enabled => true,
 init_settings_java_xms => '2g',
 init_settings_java_xmx => '2g',
 init_settings_java_maxpermsize => '256m',
 init_settings_custom_settings => {},
 init_settings_custom_subsettings => {},
 puppetserver_max_active_instances => undef,
 puppetserver_admin_client_whitelist => [ $::fqdn ],
 puppetserver_custom_settings => {},
 webserver_client_auth => 'want',
 webserver_ssl_host => '0.0.0.0',
 webserver_ssl_port => '8140',
 webserver_custom_settings => {},
 } class { '::ospuppet::master': custom_settings = { "node_terminus" => { 'ensure' => 'present', 'setting' => 'node_terminus', 'value' => ‘exec', }, }, hiera_eyaml_package_version => '2.0.8', hiera_backends => [ 'yaml', 'eyaml' ], hiera_hierarchy => [ 'secure/nodes/%{::clientcert}', ... ‘common', ], hiera_yaml_datadir => …, }

14. Questions? Thanks!