Puppet Blog - Page 12Product

Secure Puppet Code Collaboration

Did you know that you can use workflow and testing to ensure you get the configurations you asked for in a secure manner? In this post, we discuss how.

Puppet compiles a catalog using Puppet DSL code and data that’s usually at rest on the local filesystem of the puppet master. An agent requests a catalog from a master, and subsequently enforces the catalog locally. It’s common for multiple teams to collaborate on the configuration code and data, with the different teams being responsible for different modules. Often times, this means that the Puppet module path is actually made up of two or more module paths, where each modulepath entry is a different version control system repository managed by a different team.

  modulepath = /data/puppet/core/modules:/data/puppet/webapps/modules

I will have a manifest (maybe an ENC too, but let’s just talk about manifests here):

  manifest = /data/puppet/manifests/site.pp

I am more likely to have my core security modules in the first part of my module path. Potentially I *could* have a class security {..} in both halves of my module path; however, the module found first by the autoloader will take precedence, and the module in the web apps part of the path won’t be evaluated. It’s important to get the configurations that you want in first, especially because there’s no hard and fast rule that will restrict resource definitions for security configurations to that security module. Any resource declaration might be in any module, subject to uniqueness constraints, and so forth.

Thus, my security class manages a resource:

   user { 'root': 
    password => 'myspecialpasswordhash',
  } 

If another class attempts to manage the same resource, Puppet will return a catalog compilation error, and no configurations will be managed. This is good. My root user won’t get hosed by a rogue configuration. However, there’s a twist to this story. What if my manifest (site.pp) declares another class ‘configurethewebserver‘? That class is defined in the the second half of my module path (which is where the modules that deploy my applications live, as opposed to the core standard operating environment), and gets declared, quite legitimately, in a node definition in the site manifest.

Module of the Week: java_ks – Build Java Keystores From Existing Keys and Certificates

Purpose Build Java keystores form existing keys and certificates.
Module puppet/java_ks
Puppet Version 2.7+
Platforms OpenJDK 6, OpenJDK 7

This module attempts to ease and shorten the workflow associated with Java applications.

  • When building a Java keystore outside of the Java tool chain, you have to go through a process that spans a couple different tools and intermediary formats before you have a valid keystore. The java_ks module attempts to relieve this by giving you one interface: Puppet. Puppet handles the conversion and intermediary formats for you.
  • This module contains no manifests, only a composite namevar type and its supporting provider.
  • This module allows for keystores to be provisioned along with your Puppet deployed Java application servers.

The reason this module came to life was my frustration over the workflow needed to get a SSL protected ActiveMQ broker set up. When I wanted to integrate the Java keystore build workflow into the rest of ActiveMQ’s setup using a Puppet manifest… well, it got ugly. Converting a string of shell commands into Puppet exec resources eventually led me to a dark dark place. Personally I find that if you are running into a need for a lot of exec resources, especially when they are using the same command or operating on the same file, it is time to grab a copy of Puppet Types and Providers and get your hands dirty with some Ruby. You’ll usually notice a speed increase of your agent runs after a conversion to a type/provider to replace all the exec resources and always end up with easier to maintain manifests.

The Fact Is…

One of the major interfaces to extend functionality with Puppet is the use of Facter and custom facts. A fact is a key/value data pair that represents some aspect of node state, such as its IP address, uptime, operating system, or whether it’s a virtual machine. Custom facts are able to provide catalog compile time data to the puppet master to customise the configurations for a specific node (using PuppetDB, this data becomes available even when you’re doing things elsewhere). Facts are provided by Facter, an independent, cross-platform Ruby library designed to gather information on all the nodes you will be managing with Puppet.

For an example of using a custom fact within Puppet, you can use this data in the context of a catalog compile to make a decision about the catalog that you sent back to the node. A fact that tells us the node’s operating system could cause some conditional logic in a class that tells the node the right set of packages to use to configure ntp on that particular system. Because the package names differ between Linuxes (let alone between Linux and Windows), this fact simplifies ntp configuration. Alternatively, you could use the $::ipaddress fact to customise the appropriate listen directive in Apache or SSH.

Mapping the Puppet Forge

A long time ago (well, June of this year) the Puppet Forge was running without a leader. In my role as community manager, I saw the Forge as having this awesome potential to be the resource for user-generated content surrounding the Puppet community. I knew it was getting more attention, but that was mostly anecdotal. My next step was to find some data that could tell a good story.

Puppet Modules are often the first way people learn and start using Puppet. We’ve had our Puppet Forge for a while, but I didn’t feel like I knew a lot about it. When we were getting ready to interview Product Owners for the Puppet Forge and Modules, I decided I wanted to know more to help me prepare for the interview, and maybe give me some insight into usage patterns that I hadn’t thought about.

Like any geek, I love data. I knew we had all sorts of data in our module download logs, but we had not ever really taken the time to transform that data into awesome information. I started with simple awk/sed/grep to find basic information, like what modules were popular. This worked for a time, but then I wanted to know modules by name, find popular authors, and do things like ignore version number changes.

Module of the Week: maestrodev/maven – Maven repository artifact downloads

This week’s Module of the Week is a guest post from Carlos Sanchez from MaestroDev.

Purpose Manage Apache Maven installation and download artifacts from Maven repositories
Module maestrodev/maven
Puppet Version 2.7+
Platforms RHEL5, RHEL6

The maven module allows Puppet users to install and configure Apache Maven, the build and project management tool, as well as easily use dependencies from Maven repositories.

If you use Maven repositories to store the artifacts resulting from your development process, whether you use Maven, Ivy, Gradle or any other tool capable of pushing builds to Maven repositories, this module defines a new maven type that will let you deploy those artifacts into any Puppet managed server. For instance, you can deploy WAR files directly from your Maven repository by just using their groupId, artifactId and version, bridging development and provisioning without any extra steps or packaging like RPMs or debs.

The maven type allows you to easily provision servers during development by using SNAPSHOT versions—using the latest build for provisioning. Together with a CI tool, this enables you to always keep your development servers up to date.

Module of the Week: inkling/postgresql – PostgreSQL Management

EDIT 10/24/12: The inkling/postresql module is now owned by Puppet Labs, and has been moved to puppetlabs/postgresql. You can contribute to the module on GitHub here.

Purpose Manage PostgreSQL servers, databases, and users
Module Previously inkling/postgresql, now puppetlabs/postgresql
Puppet Version 2.7+ & PE 2.0+
Platforms Tested on RHEL5, RHEL6, Debian6, Ubuntu 10.04

PostgreSQL is a powerful, high-performance, free, open-source relational database server. It hasn’t always enjoyed quite as much popularity as its cousin, MySQL; MySQL is enormously popular, as evidenced by its inclusion in the ubiquitous LAMP (Linux-Apache-MySQL-PHP) web development stack. However, these days there seems to be some increasing momentum behind PostgreSQL in many circles. At Puppet Labs, we are starting to use it more heavily—in fact, it’s a prerequisite for our new PuppetDB product.

With that in mind, it seemed important for us to make sure that there was a Puppet module out that made PostgreSQL as easy to manage with Puppet as MySQL is. We searched around on the Puppet Forge to see if anyone had undertaken this yet, and found several useful Postgres modules—but it was important to us that the module API would be familiar to users of the puppetlabs/mysql module.

We were particularly impressed with the functionality offered by the inkling/puppet-postgresql module, developed by Kenn Knowles of Inkling Systems, so we reached out to Kenn to see if he’d be amenable to us helping to refactor the module to leverage his existing functionality with an API similar to the puppetlabs/msyql module. He was, so, we did!

So here’s why you should check out the new 0.2.0 release of the inkling/postgresql module:

Why Puppet has its own configuration language

I was O’Reilly’s Velocity conference back in June, giving a talk on hacking Puppet, and Puppet’s configuration language came up a lot. Most people love the language and find it the simplest way of expressing their configurations, but some are frustrated by how simple it is and wish they had a full Turing-complete language like Ruby for specification. I thought it would be worthwhile to discuss why Puppet has a custom language, and dive into some of the benefits and costs.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.