DebConf10/PuppetBOF
debconf 10 puppet BOF
apt-get install gobby-0.5 server: gobby.debian.net
- Introductions - Who are you and what computing environment are you using puppet for?
* Geoff Crompton. Using puppet at Trinity College, Melbourne for only about 6 servers. Our approach is to retire old non puppet servers, so our numbers will grow as we go * Keith OBrien - mail servers * Brian Gupta - 150+ VMs, for most services * Russ Allbery, using Puppet at Stanford University for managing all central IT Services UNIX servers. Debian and Red Hat Enterprise, and some amount of Ubuntu. 600 machines * Faidon Liambotis (paravoid), using Puppet at the Greek Research and Technology Network for managing all servers (around 200 hundred) * Michael Schultheiss - not yet using Puppet at Indiana University but interested in doing so * Rohit Kumar Mehta - University of Connecticut - using SSH + shell and interested in using Puppet * Justin Azoff - University At Albany - using Puppet for deploying various services and standard configuration files. also, puppet manifests make better documentation than out of date wiki articles. * Debian System Adminstrators (DSA) use puppet for Debian servers (~120 machines) puppet.git (modules/facts) is public on http://git.debian.org/?p=mirror/dsa-puppet.git;a=summary modules for exim, syslog, ferm, apache, ... * Ahmad Khayyat, Queen's University. Lab-local cluster (~10 machines). Mixture of servers and desktops. Fully automatic installation using FAI and Puppet: * Joerg Jaspert - Work installation with a dozen machines
- What classes/modules/facts have you written to do things?
* LDAP, NFS, automount, grub, gdm, apt, backup (rdiff-backup), munin, exim/null-mailer, zabbix, custom 3rd-party software installers * We manage Debian build chroots and FAI servers with Puppet and have definitions that will build a chroot for use with cowdancer for an arbitrary distribution. * A bacula class defining our clients, letting them create config snippets for the director who then realizes them and knows what to backup. Also depending on an fact setting it up encrypted/not (PCI DSS relevance, creditcard shit) * Various (ferm, apt, mysql, postgres database setup, apache setup vor vhosts, the usual stuff) * munin, Nagios, Bacula, ferm, exim; also facts for various things, including apt updates * Main thing puppet helps with is inter-service configuration - deploying a network service also configures iptables, munin, syslog monitoring.
- What other classes/modules/facts have you found that you recommend?
* concat http://github.com/ripienaar/puppet-concat.git * http://git.black.co.at/
- How are you running puppet? What are things are you using with puppet that are cool?
* We use Puppet to generate and gather information for CMDB via stored configs and have a proof-of-concept CMDBf implementation built on top of the stored configs database. * We have some custom reports that tell us things like whether systems have stopped checking in (although there may be better things for this in Puppet directly now -- we're still on 0.24). * We have an internal web application (in Python/Django) that provides an overview of machines, a hardware inventory (with service tags, MAC addresses, FC WWPN etc.) and a custom fact query builder.
[edit] Ideas
Should we start packaging into debian puppet modules?
* yes * do we want to work on policy about what modules are good enough to package? * might be hard to package something like a generic ssh module, but including modules for debian specific things should be straightforward enough. Things like managing apt sources.list.d * We have a module to manage Apache configuration for Debian that understands things like sites-available and modules-available and can activate and deactivate sites and modules -- need to put it somewhere useful for others. * there is going to be a lot of competition to be the one true apache module there are already quite a few of them * might be better for us to just collaborate on one that already exists then and incorporate the stuff that we have into it. * some people likely deploy apache using puppet across different operating systems, so they may not even want to use the debian configuration approach * One of the mismatches we have with some of the collective module work is that people are focusing on making it work across OSes, where what we care about is making it work *really* well on Debian with all the tools Debian has available (sites-available, ca-certificates, etc.) * I would posit that one of the policy items would be that any debian specific parts of the manifest should be within a case $operatingsystem = 'debian' statement, so that other people are not scared away from using the modules that we have blessed to officialdom
* puppet in debian is managed by an alioth group, and more help is welcome
[edit] Questions
does puppet have intergration for git or some other type of configuration versioning? (client crashed)
* On the server side the puppet repository is a directory of text files that can be stored in a VCS I believe some users have branches for devel and production and merge modules after testing - dsa uses production/staging environment
How to make puppet faster? Slow machines take AGES to go through one run, so all 30 minutes isnt possible, sometimes its up to 2/4 hour schedules.
-> might worth trying Rubinius (http://rubini.us/), some benchmark says it's faster than classic Ruby but it is not packaged for debian, so basically does not exist (package it) thanks for volunteering, please go ahead :) :) (do it, and i promise it passes NEW fast :) )
Also, puppetmaster does like to eat postgres connections when using the stored config foo. Anyone has that seen with mysql? or know this? (need to dig through it for this bug, but well, its annoying. cron restart of it helps, but is far from a nice solution)
Does anyone use Config::Model or augeas with puppet?
* I try to use augeas whenever it's applicable. Advantage: I don't have to overwrite the whole configuration file, just force a value for a given configuration option * i use augeas for some of the configurations in our puppet setup
what advanages does puppet have over other methods of achiving the same goals? aka why puppet?
* Puppet has an object-oriented style of configuration, which means that you can write a generic class to manage a style of server and then override for subclasses of that server or for specific systems and use that approach to manage complexity and share configuration. * Facter integration is nice in configuration templates.. you can configure services differently based on how much ram or cpus the server it is being deployed on has.
How are others doing staging enviroments with puppet?
* Stanford are linking git branches to puppet environments somehow. Clients get a git branch, development goes to their own branches, customers can have changes as they need them, but they also do a regular release of the trunk
Common module resources
Riseup Networks' module git repos https://labs.riseup.net/code/projects/puppetmodules
apt, backupninja, common, lsb, monit, munin, mysql, nagios, passenger, rbldnsd, runlevel, shorewall, sshd, stunnel, sysctl, virtual, wordpress
Project to share puppet modules
https://labs.riseup.net/code/projects/sharedpuppetmodules
Apache, Common, Cron, Mod_security, Munin, Mysql, Nagios, Passenger, Puppet, Rails, Shorewall, Sshd, User, Webhosting