Puppet can be used effectively and at scale without running as root. In many organizations, particularly large ones, different teams are responsible for different pieces of the infrastructure. In my case, I am on a team responsible for installation, configuration, upkeep, and monitoring of an application, but we are denied root access. Despite this, we have a rich puppet infrastructure thats saves us time and reduces configuration drift. I will present our model for success in this kind of limited environment, including recipes for using puppet as non root and some encouraging words and ideas for those who want to implement puppet, but the rest of their organization isn't ready yet.
Spencer Krum
Systems Admin, UTI Worldwide
Spencer is a Linux and application administrator with UTI Worldwide, a shipping and logistics firm. He lives and works in Portland. He has been using Linux and Puppet for years. Spencer is co-authoring (with William Van Hevelingen and Ben Kero) the second edition of Pro Puppet by James Turnbull and Jeff McCune, which should be available from Apress in alpha/beta E-Book in time for Puppet Conf '13. He enjoys hacking, tennis, StarCraft, and Hawaiian food.
2. Books
Pro Puppet 2nd Ed.*
Beginning Puppet**
*With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero
**With William Van Hevelingen, and Ben Kero
9. Limitations
No Root Acess
Each devopser has a user
Sudo to the application user
(appserv,webserv,swmgmt,tibco,fico)
Application user has limited sudo access
10. Limitations (cont)
Limited homedir space
/opt/app LVM volume, big, but not massive (20G)
Oracle Enterprise 5, not often updated
Few development libraries
11. Installing the Puppet client
Libyaml built from source, separate
Ruby built from source, separate
Puppet and facter from source, together
All installed using a --prefix
12. Installing the Puppet client
Puppet config in:
/opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf
Ruby/yaml located in
/opt/app/tibco/opt/{ruby,yaml}
13. Installing the Puppet client
Drop the whole thing in via a tarball.
Massive sed -i on files.
14. Installing the Puppet client
Each client is in an environment
Conflate UTi environments and puppet
environments
Puppet vardir, libdir, ssldir all under opt
No control over dns so set server = machinename
15. Running the Puppet Client
Source a bash file to set RUBYLIB,
LD_LIBRARY_PATH
Run Puppet with --config argument to pick up the
config file, forks to background
@reboot cron to fire it up if the machine bounces
16. Multi User
Sometimes we want to run a service as the fico
user and a separate service as the tibco on the
same machine
17. Certname Abuse
Set certname = user-hostname in puppet.conf:
fico-devbuild1.go2uti.com
Two node definitions in site.pp now
Both users have puppet installed under
/opt/app/$USER/opt
26. Service
Possibly the best handled in a rootless
environment
Can't use real init system.
Can use the binary,start,status,stop parameters to
great effect
I want to look at the path
29. Rootless Module
Module to provide types and facts to rootless persons
tarfile type
jdk type
facts for user, group, tempdir
new file type for rootless environments
35. Two generations
Problems with first gen
No central log location
No way to upgrade
Conf files akwardly all over the place
Rack dir lived under puppet dir
36. Two generations
New generation
Everything rooted under a $HOME/local
BSD Ports style
Hiera, puppet, facter running from source
'init' scripts for everything in local/etc
Logs all go to local/var
37. Installation points
Use a bash function to expose the puppet command
puppet () {
. $FAKE_ROOT/bin/.ruby_setup.sh
$FAKE_ROOT/opt/puppet/bin/puppet $@
--confdir=$FAKE_ROOT/etc/puppet
}
38. Installation points
Passenger 4 reads your .bashrc, check for tty before
getting fancy
if `tty -s`; then
if env | grep TMOUT >/dev/null; then
exec env -u TMOUT bash
fi
fi
40. Installation points
Build passenger on an equivalent system and rsync it up,
its dependencies are many, and installing libcurl and
openssl from source is hard.
41. Installation points
Try to keep your env as similar to a rooted environment as
you can.
Tell lies to tell the truth.