Puppet Without RootSpencer Krum

UTi Worldwide Inc.

Books

Pro Puppet 2nd Ed.*

Beginning Puppet**

*With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero

**With William Van Hevelingen, and Ben Kero

IntroUTi History

UTi Goals

DevOps Role

Limitations

Intro (cont.)Installing the Puppet client

Running the Puppet Client

Package, File, Service

Rootless Module

Intro (cont.)Installing Puppet Master as nonroot

Installing Apache as nonroot

Installing Passenger as nonroot

Upgrading Puppet as nonroot

UTi History

UTi Goals

DevOps Role

LimitationsNo Root Acess

Each devopser has a user

Sudo to the application user(appserv,webserv,swmgmt,tibco,fico)

Application user has limited sudo access

Limitations (cont)

Limited homedir space

/opt/app LVM volume, big, but not massive (20G)

Oracle Enterprise 5, not often updated

Few development libraries

Installing the Puppet clientLibyaml built from source, separate

Ruby built from source, separate

Puppet and facter from source, together

All installed using a --prefix

Installing the Puppet clientPuppet config in:

/opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf

Ruby/yaml located in

/opt/app/tibco/opt/{ruby,yaml}

Installing the Puppet clientDrop the whole thing in via a tarball.

Massive sed -i on files.

Installing the Puppet clientEach client is in an environment

Conflate UTi environments and puppetenvironments

Puppet vardir, libdir, ssldir all under opt

No control over dns so set server = machinename

Running the Puppet ClientSource a bash file to set RUBYLIB,LD_LIBRARY_PATH

Run Puppet with --config argument to pick up theconfig file, forks to background

@reboot cron to fire it up if the machine bounces

Multi UserSometimes we want to run a service as the ficouser and a separate service as the tibco on thesame machine

Certname AbuseSet certname = user-hostname in puppet.conf:fico-devbuild1.go2uti.comTwo node definitions in site.pp now

Both users have puppet installed under

/opt/app/$USER/opt

Package, File, Service

PackageTwo basic methods:

Wrap an untar command in a defined type

Recursive file resource (Puppet Package Manger)

PackageWe use both

class uti_httpd::base { file { "${home_path}/httpd": ensure => directory, owner => $owner, group => $group, source => 'puppet:///modules/uti_httpd', recurse => remote } ...}

exec {"create-jdk-install-${install_root}": command => "/bin/tar xvzf ${tarball_directory}/${jdk_name}", cwd => $install_root, creates => "${install_root}/${jdk_create_dir}",}

FileFile Type works strangely when not running asroot

$owner, $group problem

Implementation around 'write' access.

File { owner => $owner, group => $group,}

file { $install_root: ensure => directory,}file { "${install_root}/keystore/": ensure => directory, require => File[$install_root]}

ServicePossibly the best handled in a rootlessenvironment

Can't use real init system.

Can use the binary,start,status,stop parameters togreat effect

I want to look at the path

service { 'icinga': ensure => running, provider => base, enable => true, hasstatus => true, hasrestart => true, start => "${home_path}/icinga/init/icinga-init start", stop => "${home_path}/icinga/init/icinga-init stop", restart => "${home_path}/icinga/init/icinga-init restart", name => 'icinga'}

Rootless Module

Rootless ModuleModule to provide types and facts to rootless persons

tarfile type

jdk type

facts for user, group, tempdir

new file type for rootless environments

$tempname = regsubst($name, '/', '-', 'G')file { "/var/tmp/${tempname}": ensure => file, content => $content,}exec { "copy-in-${name}": command => "cat /var/tmp/${tempname} > ${name}", subscribe => File["/var/tmp/${tempname}"], notify => $notify,}

Puppet Module Rootless

GitHub GoGo!

https://github.com/UTIWorldwide/puppet-module-rootless

puppet module install utiworldwide/rootless

Puppet Master as nonroot

3 Plabs Software

Puppet

Hiera

Facter

Puppet Master as nonroot

Other Software

Apache

Passenger

Libyaml

Libapr

Two generationsFirst Generation

Installed everything to /opt

Apache + libapr separate

Ruby, yaml separate

Puppet, facter, hiera conjoined

Two generationsProblems with first gen

No central log location

No way to upgrade

Conf files akwardly all over the place

Rack dir lived under puppet dir

Two generations

New generation

Everything rooted under a $HOME/local

BSD Ports style

Hiera, puppet, facter running from source

'init' scripts for everything in local/etc

Logs all go to local/var

Installation pointsUse a bash function to expose the puppet command

puppet () { . $FAKE_ROOT/bin/.ruby_setup.sh

$FAKE_ROOT/opt/puppet/bin/puppet $@\ --confdir=$FAKE_ROOT/etc/puppet

}

Installation pointsPassenger 4 reads your .bashrc, check for tty before

getting fancy

if `tty -s`; then if env | grep TMOUT >/dev/null; then exec env -u TMOUT bash fi fi

Installation pointsSet LD_LIBRARY_PATH and RUBYLIB at the last

possible second, in the puppet function or inetc/init.d/httpd

Installation pointsBuild passenger on an equivalent system and rsync it up,

its dependencies are many, and installing libcurl andopenssl from source is hard.

Installation pointsTry to keep your env as similar to a rooted environment as

you can.Tell lies to tell the truth.

Outro

Questions?

Spencer Krum

github.com/nibalizer

nibalizer on irc.freenode.net

Book from Apress

http://www.apress.com/9781430260400