puppet for production in webex - puppetconf 2013
DESCRIPTION
"Puppet for Production in WebEx" by Reinhardt Quelle, Cloud Services Architect, Cisco. Presentation Overview: Getting started with Puppet configuring an individual machine is straightforward. Managing a cluster of machines across multiple data centers, supporting upgrades while running a 7x24 service, and building for collaboration is significantly more challenging. The WebEx team will discuss the problems and some strategies they are using to manage this complexity. Speaker Bio: Reinhardt Quelle is a Cloud Services Architect in the Cloud Collaboration Applications group at Cisco, where he’s responsible for defining infrastructure architecture and deployment automation . His group manages thousands of servers across multiple data centers around the world serving multiple applications, including WebEx conferencing, to tens of millions of users. In prior roles, he’s worked extensively in SaaS operations, delivering diverse applications from email security through social media applications.TRANSCRIPT
Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 1
Puppet at Cisco CCATG
Aug 23, 2013
Reinhardt Quelle, Cloud Services Architect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
CCATG Cloud Services Hosts and Manages SaaS Applications
Millions of Meetings
for
10s of Millions of Users
totaling
Billions of Minutes
each month
7x24x365
Cisco Social
WebEx
Connect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
US
UK
India
Australia
China
Hong Kong
Amsterdam
Japan
Global Footprint
~ 7K Hosts~ 8 Data Centers> 12 iPOPsPrivate Backbone
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 4Cisco Confidential 4© 2011 Cisco and/or its affiliates. All rights reserved.
Deployment Automation: Keeping these screens green
while evolving the service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Systems (or services) may look complicated
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
…but they are made of simple parts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
…composed into modules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
…and assembled into a system
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Our systems are similar:Puppet manages “Resources”
Files
Packages
=
Users
Services
…Etc.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Which are composed into systems
Manifests - nodes.pp - site.pp
Classes, Modules
=
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
So what’s missing?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
TIME
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Software versions, and often configuration versions, evolve as time passes:
BaseOS_Hardening v1.1ElasticSearch v0.20.6
JRE v1.7.0_25
BaseOS_Hardening v1.1ElasticSearch v0.90.2-1
JRE v1.7.0_25
• Some systems can simply be knocked over the head and recreated with fresh versions
• Others – notably most database servers – cannot; updates are performed in-place
• “Big Bang” upgrades don’t often happen; we step methodically through groups of machines
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
In other words, SEQUENCE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
We never run one of anything
DC1 DC2
Multiple DC PairsMultiple Clusters of each Service type• By Customer Class• By Lifecycle Stage• By Special Needs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
We must manage versions across these clusters, through time
By DC
Or by Node
v1v1 v2
v2
v1 v1v2v2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Cluster management includes a layer of definition and control above Puppet
“Blueprints” or “Models”
• JSON/YAML• TOSCA• CMDB *
Orchestration
• Fabric• SLiM• Mcollective
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
One Puppet Master?
Puppet Master
Manifests & Modules
DC1 DC2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
One Puppet Master?
Puppet Master
Manifests & Modules
DC1 DC2
Guess when you’ll need to push infrastructure changes the most!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
So, maybe one per DC?
Puppet Master
Manifests & Modules
DC1 DC2
Puppet Master
Manifests & Modules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
So, maybe one per DC?
Puppet Master
Manifests & Modules
DC1 DC2
Puppet Master
Manifests & Modules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Perhaps Many…
WebEx Meetings
WebEx Connect
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Or, how about masterless?
puppet apply \ -–modulepath=/opt/puppet_local \ --execute “include servertype::front-end”
Manifests & Modules copy [/etc/puppet/*] to each node
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Our OS’s have robust packaging systems…
Manifests & Modules .rpm or .deb
yum install app_pp_v1 && puppet apply …’
privatepackage repository
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Orchestration tools provide a means of applying the changes
ssh node81 ‘yum install app_pp_v1 && puppet apply …’
fab dfw-frontends pp_apply:latest’
FabricMcollectiveSaltAnsible
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Cisco/WebEx uses multiple solutions
• Application Stacks/Deployment are NOT Homogenous
• The “right” solution for one stack not always right for another
• Share as much as possible, but don’t force it
• Tightly coupled systems are often rigid, brittle
• Solving big, general problems is hard; small bites are easily digested
“A foolish consistency is the hobgoblin of little minds” – Emerson
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Whether one, many, or no servers,Puppet is CODE
• Every artifact (module, manifest, Hiera file) is checked into version control
• Versions are packaged and released and should go through same promotion process as application code
• All good coding practices applyModular
Well defined interfaces
Tested
Shared
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Design Pattern: ServerType/Profile/Module• Modules are the atomic packages of configuration
• “Profiles” bundle modules into commonly used sets for ease of consumption:
BaseOS
JavaApp
Tomcat App
• A given machine has exactly one “ServerType”
• Inspired by Chef’s “roles”, and similar to Craig Dunn’s Role/Profile/Modules
• At the code level, these are actually all just modules
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Design Pattern: Cooperative Modules• Build loosely coupled modules that can work together if installed together,
but that can stand on own, too
• Example: standard monit config includes /etc/monit/conf.d/*Application that wants to be monitored just drops file in this location
• logrotate, collectd, apache, nginx, etc all support
class elasticsarch {
…
if $monit::include_dir != undef { validate_absolute_path($monit::include_dir) file { "${monit::include_dir}/${monit_config_file_name}": ensure => present, content => template("elasticsearch/${monit_config_file_name}.erb"), notify => Service['monit'], } }}
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Design Pattern: Assembling Configuration• The singleton ServerType defines which profiles and modules are
included; structure and order
• Puppet Librarian and its Puppetfile describe which version of a module is used, and where it comes from
• After Puppet Librarian has run and downloaded all required assets, FPM is called upon to build the package
• Dev cycle includes doing local builds/tests against Vagrant in both develpers personal machines as well as the Jenkin’s build farm
• Upon successful build, packages are uploaded to repositories
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Miscellaneous Tidbits
• Dependencies in Puppet, not RPM/DEB
• Packaging works for deploying to Puppetmasters, too.
• Modules are designed for transparency, simplicity: “4AM-proofing”
• Composition usually trumps inheritance
• Tim Bell and the CERN folks talk of “Pets” and “Cattle”You can only shoot a system in the head if you can create another at will
• “Fried” or “Baked”? YES.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 36Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 36
Photo placeholder
Thank you
Please tell your friends we’re hiring DevOps Engineers!