Creating rapid Puppettest environmentsand running from source

Felix FrankMPeX.net GmbH@felis_rexffrank.github.io

This session

Learn one simple techniqueto make Puppet do whatyou want for a while.

PuppetA quick rehash

Software - behavingerratically since 1947

We usually needto find the cause

Strategy

research safelyin a lab environment

...allows arbitrary repetition

...liberally strip down your code

...eliminate problem through iteration

...generate minimal reproduction

Lab environmentapproaches

create a VM and set up Puppet

clone the original machine

have a Vagrantor Docker file ready

etc.

All these are validbut possiblytoo expensive

Agent setups aresimple enoughbut masters are no fun

What withthe wholeSSL dance

Proposal

Just run Puppet as a non-root user

Just kidding!Here's how it works

All Puppet data and configscan live in ~/.puppet/

...allowing shenanigans galore

Let's see itin action

Do these in .SHrc

GEM_HOME=~/gemsPATH=$PATH:$GEM_HOME/bin

Then just

> gem install puppet --version 3.7.5

How does it work?A quick overviewof Puppet's configuration.

$HOME is used courtesyof sensible default configs.

Take a look

> puppet master --configprint manifest/home/puppy/.puppet/manifests/site.pp

Find settings

> puppet master --configprint all \ | grep 'puppet\.conf'config = /home/puppy/.puppet/puppet.confconfig_file_name = puppet.conf

Get an overview

> puppet master --configprint all | less

...and go a little crazy

> puppet master --confdir /tmp \ --configprint manifest/tmp/manifests/site.pp

Cascading settings

There are two treesof path settingswith roots

→ confdir→ vardir

All other pathsare derived, e.g.

statefile = $statedir/state.yaml = $vardir/state/state.yaml

Both confdir and vardirare in ~/.puppet per default....execpt you are root or puppet

Speakingof defaults

The examples representversion 3.x behavior.Puppet 4 has similarbut different defaults.

Don't try thiswith 2.x

What thisall means

With these tools any usercan run a complete(WEBrick) master with CA.

The agent is limited.→ file as per permissions→ cron only for your jobs→ package works only with gems and similaretc.

All this holds truefor puppet apply as well.

A word on security

Will thisenablespoofing?

Not really.

→ Master port is unprivileged.→ But user cannot get a signed master cert.

Only new agents are vulnerable

Make sure your masteralways keeps its port.

...or pre-share the CA cert.

...orAlwayspre-sharethe CA cert.

Use the source

With Ruby applicationsthis is not quite intuitive.

Just calling

> ~/puppet-3.4.2/bin/puppet \ agent --test

will likely not do what you want.

Ever looked at bin/puppet?

#!/usr/bin/env rubybegin require 'puppet/util/command_line' Puppet::Util::CommandLine.new.execute rescue LoadError => e $stderr.puts e.message exit(1)end

Puppet relies on require logic.

Straight forward approach:Manipulate Ruby's LIBRARY_PATH

> ruby -e 'puts $:'/usr/lib/ruby/vendor_ruby/usr/lib/ruby/1.9.1...

> export RUBYLIB=~/puppet-3.4.2/lib> ruby -e 'puts $:'/home/puppy/puppet-3.4.2/lib/usr/lib/ruby/vendor_ruby/usr/lib/ruby/1.9.1...

This is rather fragileand cumbersome.

In fact, Gems can mess upthe library look-up andcause unpredictable results.

Bundler

Arguably the best wayto manage installedgems and versions.

Synopsis:> cd path/to/git-clone> bundle install> bundle exec ...e.g.> bundle exec puppet master

But Why

Running from source:not only for hackers

Aside from idle tinkeringit allows contributingby triaging bugsand finding reproductions

In summary

We can runarbitrary manifestsand module setsfrom ~/.puppet

This works with> puppet master> puppet agent> puppet apply

Try arbitrary versionsof Puppet using gitand bundler

A word on my behalf

Read.

A word on your behalf

Diversity.

Let's not be a bunchof white dudes forever.

Thanks for listening!

Images

http://wallpaperscraft.com/download/line_background_brush_colorful_bright_60114/1366x768http://www.funnyjunk.com/funny_pictures/4162539/Mayonnaise+low/http://imgfave.com/view/3573521http://web.mit.edu/mtg/www/2005/FAL/Photos.htmlhttps://flic.kr/p/auyoK1http://novemberart.deviantart.com/art/Scientist-Cat-293594656http://www.angelfire.com/wv/otieandtanya/puppetry.htmlhttp://www.shopage.fr/?q=Finhttp://www.hlg.co.nz/building.phphttp://bashish.sourceforge.net/old/screenshots.htmlhttp://www.melablog.it/post/14719/apple-e-i-531-certiicati-ssl-diginotar-rubatihttp://www.hisbuildingblocks.com/2010_04_01_archive.htmlhttp://www.hollywoodisburning.com/2012/08/the-new-basis-of-power/http://odesk.ro/hackers-hack-online-anti-hacking-session/http://www.neebu.net/~khuon/gallery/misc/linux_nylug_booth