Puppet for Everybody!Federated and Hierarchical

Puppet Enterprise 

Chris Bowles, Senior Systems Administrator

University of Texas at Austin

Everybody? Absolutely!• Development• Operations• Management

source: http://goo.gl/Mjr0dy

Continuum of Expertise

Novice• Puppet Console• Variables

Medium• Hiera

Expert• Code

Puppet as a Service

UT Puppet API

(standards, culture)

Code/DataFederation

Puppet Enterprise

HierarchicalConfigs

Centrally Managed / Maintained

Puppet as as Service

DB groupWeb group

Foogroup

Standard Puppet API

Puppet Console Configured Server!

Class

ConsoleVariable(string)

Hiera Variable(complex)

Shared culture

Hierarchical Configurations

Node-level

Business Group(s)

Defaults Enterprise

Database

Node

Web

• Shared area = business logic

• All configs in groups

• Plug and play

Federation (of control)• United States of Puppet

mysql

oracle

Enforce Broad configs

at “Federal Level”

Set specific configs at

“State Level”

source: http://goo.gl/22neR7

Puppet as a Service (at UT)

• Code or contentApps

• i.e. ApacheServices• secure• standardized• configurableBASE

Roles / Profiles

Building Blocks

source: http://goo.gl/CHwab0

Puppet Console components• Classes

• Variables

• Group(s)

• Nodes

ssh

$::ssh_listenport

Database

dbserver-01

Puppet Console Group Nesting!

source: http://goo.gl/tUdl5U

Class Inheritance (immutable)

BASE group assigns: ssh

FOO group inherits: ssh assigns: syslog

nodeInherits: ssh, syslog

Variable Inheritance (child wins)

Base groupssh_listenport = 22

Foo groupssh_listenport = 72

node1ssh_listenport = 72

Foo2 groupssh_listenport = 99

node2ssh_listenport = 99

All together now!

source: http://goo.gl/K91CJA

BASE group

Classes: ssh

Variable:

ssh_listenport => 22

DB group

Classes: mysql

Variables: ssh_listenport => 99

db-server (node)

Classes: ssh , mysql

Variables:

ssh_port => 99 (from DB group)

Classes: additive

VariablesClosest to the node wins

ENC node: RSOP

Mysql class from DB group)

Ssh class from ALL group

Ssh_port override from DB group (2222)

List of all the groups that the node belongs to.

Hierarchy is implied via the Source attr. See ALL group.

Puppet Console:Building a federated hierarchy

Subgroup

Group

Top BASE

group_foo

sub_bar

group_db

sub_mysql sub_oracle

What’s in a name?

Puppet Console will display: (alphabetical)• BASE• group_db• group_foo• subgroup_bar• subgroup_mysql• subgroup_oracle

A Little more about Console Variables…

class

Console variable

Config

Console Variables =top level Variables ($::foo)• init.pp

• params.pp

One more level: Hiera

source: http://goo.gl/3tfaVi

Hiera: used for complex variables

key: value

key2: value2

• Arrays • Hashes

source: http://goo.gl/ge45I1

Hiera:Building a federated hierarchy

Subgroup

Group

Top BASE

group_foo

sub_bar

group_db

sub_mysql sub_oracle

Creating hiera directory-based hierarchieswith console variables

Subgroup(s)• ./$group/$sub

Group(s)• ./$group/

Top• ./

(no variable)

$group

$sub

Broadto

Specific

Hiera.yaml – rubber, meet road

Top• ./common.yaml

Group(s)• ./$group/

common.yaml

Subgroup(s)• ./$group/$sub/

common.yaml‘%{group}/%{sub}/common’

‘%{group}/common’

‘common’

SpecificTo

Broad

Console Groups map to HieraNested Console Groups

Variables(above the waterline)

Hiera(below the waterline)

BASE(no variable required)

Foogroup = foo

Barsub = bar

./

./foo/

./foo/bar/

Putting it together!

Nested Console GroupVariable

Hiera (files based on hiera.yaml)

DBgroup = db

MySQLsub = mysql

./db/

./db/mysql/

mysql nodedept=db, svc= mysql

BASE(no variables) ./

Hiera search path for mysql node:1. ./common.yaml2. ./db/common.yaml3. ./db/mysql/common.yaml

Advanced Hiera Usage• “This data is exactly what I need… almost”• firewall, sudoers• +1

• Check out: – hiera_hash – hiera_array

Code/Data Federation

Puppet Classes/Data

Subgroup source

Groupsource

BASEsource

Code Federation

puppet.conf

modulepath=

/opt/puppet/modules/base:

/opt/puppet/modules/group:

/opt/puppet/modules/sub:

BASE Repo

Group Repo

Subgroup Repo

VCSREPO

Data Federation (via VCSREPO)

• ./hieradata/ =

./common.yaml

./$group/common.yaml

./$group/$sub/common.yaml

BASERepo

groupRepo

subgroupRepo

VCSREPO

Puppet Class Namespaces• Namespaces prevent class collisions• ${group}_name• Examples:

– base_ssh– db_ssh– mysql_ssh

A peek into the future…

source: http://goo.gl/9GwKyQ

Git Workflow• Instead of this… • 1 git repo / module

Core SVN repo(modules)

Group SVN repo(modules)

Head (production) branch

Non-production branches (created as needed)

CI/CD• r10k push deployments (faster!)• Puppet Environments defined by code (Puppetfile)• Automated Testing

Git repos

r10k

Puppet

Takeaways!• “Puppet as a Service” – Can provide

hierarchical/federated configuration management as a service by building on top of Puppet Enterprise

• Hierarchical Configs: building blocks that match organizational structure, plug and play

• Federation: Empowering users at all levels of the enterprise

Thanks! Any Questions?• Note: slide deck available from PuppetLabs

• Contact information:– Chris Bowles

• Email: cbowles@austin.utexas.edu