Managing CoreOS with Puppet

Slide 1

Slide 1 text

(without introducing more risk) Managing CoreOS with Puppet Puppet Gareth Rushgrove What? Why? How?

Slide 2

Slide 2 text

(without introducing more risk) @garethr

Slide 3

Slide 3 text

(without introducing more risk) Gareth Rushgrove

Slide 4

Slide 4 text

(without introducing more risk) What we’ll cover This talk

Slide 5

Slide 5 text

- What is conﬁguration management? - CoreOS and Conﬁg management? - Running Puppet on CoreOS - Useful super powers Gareth Rushgrove

Slide 6

Slide 6 text

I’m assuming some knowledge of CoreOS and of Puppet (or similar tools) Gareth Rushgrove

Slide 7

Slide 7 text

(without introducing more risk) LIVE DEMOS

Slide 8

Slide 8 text

(without introducing more risk) Useful background What is Conﬁguration Management?

Slide 9

Slide 9 text

- 1950s research - 1960s 480 series - 1991 MIL-HDBK-61 - 1998 ANSI-EIA-649 Gareth Rushgrove

Slide 10

Slide 10 text

- Identification - Control - Status accounting - Verification and audit Gareth Rushgrove Military Handbook Configuration Management Guidance MIL-HDBK-61B

Slide 11

Slide 11 text

Configuration management verifies that a system is identified and documented in sufficient detail Gareth Rushgrove National Consensus Standard for Configuration Management EIA-649

Slide 12

Slide 12 text

Configuration management verifies that a system performs as intended Gareth Rushgrove National Consensus Standard for Configuration Management EIA-649

Slide 13

Slide 13 text

(without introducing more risk) The why But CoreOS and Conﬁg Management?

Slide 14

Slide 14 text

Fleet unit ﬁles tend toward chaos Gareth Rushgrove Gabriel Monroy, CTO, Dies and CoreOS contributor “ ”

Slide 15

Slide 15 text

Don't use cloud init for conﬁguration management Gareth Rushgrove Gabriel Monroy, CTO, Dies and CoreOS contributor “ ”

Slide 16

Slide 16 text

(without introducing more risk) 900 line user data script!

Slide 17

Slide 17 text

(without introducing more risk) With embedded YAML

Slide 18

Slide 18 text

(without introducing more risk) and systemd unit ﬁles

Slide 19

Slide 19 text

(without introducing more risk) jumanjihouse/puppet-on-coreos

Slide 20

Slide 20 text

Cloud-init is ﬁne for bootstrapping CoreOS, but sometimes you want to consolidate inventory data for all your hosts Gareth Rushgrove Paul Morgan, Architect, NYSE “ ”

Slide 21

Slide 21 text

(without introducing more risk) École Polytechnique Fédérale de Lausanne

Slide 22

Slide 22 text

Continuous (re)conﬁguration: add or modify services without reinstalling or rebooting Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”

Slide 23

Slide 23 text

Specialized conﬁguration of individual nodes when you really do need it. eg. gateway node with the physical Ethernet connection to the outside world Gareth Rushgrove École Polytechnique Fédérale de Lausanne “ ”

Slide 24

Slide 24 text

(without introducing more risk) @billcloud_me

Slide 25

Slide 25 text

(without introducing more risk) @GarciaXuxo

Slide 26

Slide 26 text

(without introducing more risk) When everything is a container How to run Puppet

Slide 27

Slide 27 text

(without introducing more risk) Container-centric infrastrucure

Slide 28

Slide 28 text

(without introducing more risk) Available on Docker Store

Slide 29

Slide 29 text

(without introducing more risk) Talk driven development

Slide 30

Slide 30 text

(without introducing more risk) Gareth Rushgrove Puppet in containers $ docker pull garethr/puppet-agent-coreos $ docker pull garethr/facter-coreos $ docker pull puppet/r10k

Slide 31

Slide 31 text

(without introducing more risk) Gareth Rushgrove Helpful aliases alias puppet="docker run --rm --privileged \ -v /tmp:/tmp -v /etc:/etc \ -v /var:/var -v /usr:/usr \ -v /var/run/dbus:/var/run/dbus \ -v /run/systemd:/run/system \ garethr/puppet-agent-coreos"

Slide 32

Slide 32 text

(without introducing more risk) Gareth Rushgrove Facter $ facter os { architecture => "x86_64", family => "CoreOS", hardware => "x86_64", name => "CoreOS", release => { full => "1185.3.0", major => "1185", minor => "3" }, selinux => {

Slide 33

Slide 33 text

(without introducing more risk) Gareth Rushgrove Manage modules with r10k $ docker run -v /etc:/etc \ -v /home/core/Puppetfile:/Puppetfile:ro \ puppet/r10k puppetfile install --verbose \ --moduledir /etc/puppetlabs/code/modules

Slide 34

Slide 34 text

(without introducing more risk) Gareth Rushgrove Puppet resource $ puppet resource service etcd service { 'etcd': ensure => 'stopped', enable => 'true', } $ puppet resource service etcd ensure=running $ sudo systemctl status etcd etcd.service - etcd Loaded: loaded (/usr/lib/systemd/system/etcd.service; static; disabled) Active: active (running) since Fri 2016-12-02 16:36:13 UTC; 5

Slide 35

Slide 35 text

(without introducing more risk) LIVE DEMOS

Slide 36

Slide 36 text

(without introducing more risk) Nice hack, now what? New things you can do

Slide 37

Slide 37 text

Obviously you can manage your users, groups, services, ssh-keys, DNS, etc. using Puppet Gareth Rushgrove

Slide 38

Slide 38 text

You can have a consistent user interface across your CoreOS and non-CoreOS hosts Gareth Rushgrove (In larger organisations this can make it easier to introduce a new OS like CoreOS too)

Slide 39

Slide 39 text

(without introducing more risk) No SSH

Slide 40

Slide 40 text

(without introducing more risk) Inventory with PuppetDB

Slide 41

Slide 41 text

(without introducing more risk) Gareth Rushgrove Puppet Query Language inventory { facts.os.name = "CoreOS" }

Slide 42

Slide 42 text

(without introducing more risk) Gareth Rushgrove Nodes not running latest nodes[certname] { facts.osfamily = "CoreOS" and !(facts.os.release = "1185.3.0") }

Slide 43

Slide 43 text

(without introducing more risk) Gareth Rushgrove More complex queries inventory { facts.osfamily = "CoreOS" and facts.datacentre = "Lon1" and resources { type = "Service" and title = "etcd" and parameters.ensure = "stopped" } }