debconf 10 puppet BOF

apt-get install gobby-0.5 server: gobby.debian.net

• Introductions - Who are you and what computing environment are you using puppet for?

* Geoff Crompton. Using puppet at Trinity College, Melbourne for only about 6 servers. Our approach is to retire old non puppet servers, so our numbers will grow as we go
* Keith OBrien - mail servers
* Brian Gupta - 150+ VMs, for most services
* Russ Allbery, using Puppet at Stanford University for managing all central
  IT Services UNIX servers.  Debian and Red Hat Enterprise, and some amount
  of Ubuntu. 600 machines
* Faidon Liambotis (paravoid), using Puppet at the Greek Research and Technology Network
  for managing all servers (around 200 hundred)
* Michael Schultheiss - not yet using Puppet at Indiana University but  interested in doing so
* Rohit Kumar Mehta - University of Connecticut - using SSH + shell and interested in using Puppet
* Justin Azoff - University At Albany - using Puppet for deploying various services and standard configuration files.  also, puppet manifests make better documentation than out of date wiki articles.
* Debian System Adminstrators (DSA) use puppet for Debian servers 
  (~120 machines)
  puppet.git (modules/facts) is public on http://git.debian.org/?p=mirror/dsa-puppet.git;a=summary
  modules for exim, syslog, ferm, apache, ...
* Ahmad Khayyat, Queen's University. Lab-local cluster (~10 machines). Mixture of servers and desktops. Fully automatic installation using FAI and Puppet:
* Joerg Jaspert - Work installation with a dozen machines

• What classes/modules/facts have you written to do things?

* LDAP, NFS, automount, grub, gdm, apt, backup (rdiff-backup), munin, exim/null-mailer,
  zabbix, custom 3rd-party software installers
* We manage Debian build chroots and FAI servers with Puppet and have
  definitions that will build a chroot for use with cowdancer for an
  arbitrary distribution.
* A bacula class defining our clients, letting them create config snippets for the
  director who then realizes them and knows what to backup. Also depending on an
  fact setting it up encrypted/not (PCI DSS relevance, creditcard shit)
* Various (ferm, apt, mysql, postgres database setup, apache setup vor vhosts, the usual stuff)
* munin, Nagios, Bacula, ferm, exim; also facts for various things,
  including apt updates
* Main thing puppet helps with is inter-service configuration - deploying a 
  network service also configures iptables, munin, syslog monitoring.

• What other classes/modules/facts have you found that you recommend?

* concat http://github.com/ripienaar/puppet-concat.git
* http://git.black.co.at/

• How are you running puppet? What are things are you using with puppet that are cool?

* We use Puppet to generate and gather information for CMDB via stored configs
  and have a proof-of-concept CMDBf implementation built on top of the stored
  configs database.
* We have some custom reports that tell us things like whether systems have
  stopped checking in (although there may be better things for this in Puppet
  directly now -- we're still on 0.24).
* We have an internal web application (in Python/Django) that provides an overview of
  machines, a hardware inventory (with service tags, MAC addresses, FC WWPN etc.) and 
  a custom fact query builder.

[edit] Ideas

Should we start packaging into debian puppet modules?

* yes
* do we want to work on policy about what modules are good enough to package?
* might be hard to package something like a generic ssh module, but including
  modules for debian specific things should be straightforward enough.  Things
  like managing apt sources.list.d
* We have a module to manage Apache configuration for Debian that understands
  things like sites-available and modules-available and can activate and
  deactivate sites and modules -- need to put it somewhere useful for others.
  * there is going to be a lot of competition to be the one true apache module
    there are already quite a few of them
    * might be better for us to just collaborate on one that already exists
      then and incorporate the stuff that we have into it.
    * some people likely deploy apache using puppet across different operating 
      systems, so they may not even want to use the debian configuration approach
      * One of the mismatches we have with some of the collective module work is that people are focusing on making it work across OSes, where what we care about is making it work *really* well on Debian with all the tools Debian has available (sites-available, ca-certificates, etc.)
      * I would posit that one of the policy items would be that any debian specific parts of the manifest should be within a case $operatingsystem = 'debian' statement, so that other people are not scared away from using the modules that we have blessed to officialdom

* puppet in debian is managed by an alioth group, and more help is welcome

[edit] Questions

does puppet have intergration for git or some other type of configuration versioning? (client crashed)

* On the server side the puppet repository is a directory of text files that can be stored in a VCS
  I believe some users have branches for devel and production and merge modules after testing
- dsa uses production/staging environment

How to make puppet faster? Slow machines take AGES to go through one run, so all 30 minutes isnt possible, sometimes its up to 2/4 hour schedules.

-> might worth trying Rubinius (http://rubini.us/),
   some benchmark says it's faster than classic Ruby
   but it is not packaged for debian, so basically does not exist (package it) thanks for volunteering, please go ahead :) :) (do it, and i promise it passes NEW fast :) )

Also, puppetmaster does like to eat postgres connections when using the stored config foo. Anyone has that seen with mysql? or know this? (need to dig through it for this bug, but well, its annoying. cron restart of it helps, but is far from a nice solution)

Does anyone use Config::Model or augeas with puppet?

* I try to use augeas whenever it's applicable. Advantage: I don't have to overwrite the 
  whole configuration file, just force a value for a given configuration option
* i use augeas for some of the configurations in our puppet setup

what advanages does puppet have over other methods of achiving the same goals? aka why puppet?

* Puppet has an object-oriented style of configuration, which means that you
  can write a generic class to manage a style of server and then override for
  subclasses of that server or for specific systems and use that approach to
  manage complexity and share configuration.
* Facter integration is nice in configuration templates.. you can configure 
  services differently based on how much ram or cpus the server it is being
  deployed on has.

How are others doing staging enviroments with puppet?

* Stanford are linking git branches to puppet environments somehow. Clients 
  get a git branch, development goes to their own branches,
  customers can have changes as they need them, but they also do a regular
  release of the trunk

Common module resources

---

Riseup Networks' module git repos https://labs.riseup.net/code/projects/puppetmodules

apt, backupninja, common, lsb, monit, munin, mysql, nagios, passenger, rbldnsd, runlevel, shorewall, sshd, stunnel, sysctl, virtual, wordpress

Project to share puppet modules https://labs.riseup.net/code/projects/sharedpuppetmodules

Apache, Common, Cron, Mod_security, Munin, Mysql, Nagios, Passenger, Puppet, Rails, Shorewall, Sshd, User, Webhosting