puppet camp europe 2011 hackability

Wireless

• Any “BvB Hotspot...” network

• New browser page

• User: bvbhotspotPassword: berlag33

Friday, May 13, 2011

pulabs

ppet


Making Puppet More Hackable

Luke [email protected]


mailto:[email protected]

mailto:[email protected]

QuestionAuthority


Puppet Labs


Puppet Labs•40 employees


Puppet Labs•40 employees•Fantastic investors and board members


Puppet Labs•40 employees•Fantastic investors and board members

•I’m still CEO


Puppet 2.7


Apache License


FacesFriday, May 13, 2011

StaticCompiler


CertificateAPI


DeterministicOrdering

For otherwise unrelated resources


EnhancedGraph

ManagementFriday, May 13, 2011

Puppet Enterprise


Always based on full releases


Looking for Partners


PE 1.1 - 5/11

•MCollective•RHEL 4/5/6, SLES, Solaris


PE 1.2 - 6/11

•Discovery•Provisioning


Q3•Full Windows support•2.7 base•Change Lifecycle Management


Faces, Hackability, and Marketing


Puppet is different, but not in

straightforward ways


AwkwardFriday, May 13, 2011

I wanted to tell The Story of Why


A bit of history: Cfengine


I had no control•Stuck with whatever application logic it shipped with

•Core components were mandatory


Do Not Question•Why is this file here?•What requires this package?•What will happen if I change this file?

•Do these classes conflict?


Not Extensible


“Puppet is Different”


Easily extensible, everywhere

A quick count shows 10 kinds of extensibility


The Puppet world•Facts•Resources•Catalogs•Edges•Events


Questions can be asked of every artifact

• Is this file being managed?• What happens if I restart this service?• Who requires this package?• Did my service restart?• Were there any failures?


Data > Code•Caching•Validation•Implementation Independence•Integration


The Graph Matters

"Exec[createrepo-PM-RHEL5-noarch]"

"Yumrepo[PM-RHEL5-x86_64]"

"Yumrepo[PM-RHEL5-noarch]"

"Package[postgresql-server]"

"Package[thttpd]"

"File[/var/www/thttpd/html/yum-PM-RHEL5-noarch]""File[/var/www/thttpd/html/yum-PM-RHEL5-x86_64]"

"Exec[rsync-rpmdir-PM-RHEL5-x86_64]"

"Exec[createrepo-PM-RHEL5-x86_64]"

"Postgres::Role[puppet]"

"Exec[rsync-rpmdir-PM-RHEL5-noarch]"


An Aside: The Competition


AFAIK, Puppet is the only tool that provides:

• A complete list of every resource managed in your entire infrastructure

• A complete list of every dependency in your entire infrastructure

• A complete list of every single change that’s ever happened in your entire infrastructure

• With full run simulation and inspection

...all in a queryable, storable, cacheable way


Progress?Cfengine

Puppet•Declarative•Only data on clients, no code•Explicit dependencies

Chef

•Imperative•Code runs on client•Implicit dependencies

•Declarative•Code runs on client•Implicit dependencies


How do we talk about this? Market this?


“Puppet is Model-Driven”


Compile Apply

Code

Catalog

Report

Procedural


Code Catalog ReportCompile Apply

Model-driven

It’s the artifacts that matter


Code Catalog ReportCompile Apply

Policy Complian RemedyCMDB

LDAP CMDB Nagios


No one knows what ‘model driven’

means


“Puppet is hackable”

Props to Nick Fagerland


But it wasn’t really true


You could *program* it, but not hack it like

a sysadmin would


Really: Encapsulated, modular and data-

driven


Unfortunately the applications hard-code

our logic•Download plugins•Upload Facts•Download Catalog•Apply Catalog•Send Report


Other application world-views exist

• Only update catalogs during maintenance windows

• Push catalog updates• Send fact updates 10x as often as puppet runs• Combine multiple catalogs on the client side

and run them together• Compile catalogs for hundreds of hosts and

compare them• Manually view catalog diffs before deploying


It doesn’t make sense to extend the core apps

with this logic


And doing it yourself is too hard with current

tools


So we should expose everything and let you build what you want


Functions•Compiler•Transactions•Network•Indirector•Parser•RAL


Data•Facts•Catalog•Reports•Resource Types (AST and RAL)•Nodes•Certificates


Interfaces


Puppet Faces


A framework for exposing, combining,

and extending core Puppet functions and

data types


A collection of Faces that does this in Ruby

and on the CLI


Good: It directly exposes Puppet internals in a

hackable way


Bad: It directly exposes Puppet internals


Examples• puppet catalog find <host>• puppet facts upload• puppet certificate sign <host>• puppet file find <sum>


Easily extensible• puppet config info <name>• puppet catalog select <host> <type>• puppet file diff <sum> <sum>• puppet node clean <name>• puppet catalog diff <host> <host>


What we’re working on


Team and Community


Flattening the on-ramp


Ad-hocTooling


Cross-NodeApplications


Databases


ChangeLifecycle


Questions?


puppet camp europe 2011 hackability

Technology

puppet labsfriday

puppet facesfriday

puppet enterprisefriday

puppet ismodeldrivenfriday

puppet ishackable props

declarative code

catalog diffs

rhel5noarch execrsyncrpmdir