Creating rapid Puppettest environmentsand running from source
Felix FrankMPeX.net GmbH@felis_rexffrank.github.io
Learn one simple techniqueto make Puppet do whatyou want for a while.
PuppetA quick rehash
Software - behavingerratically since 1947
We usually needto find the cause
research safelyin a lab environment
...allows arbitrary repetition
...liberally strip down your code
...eliminate problem through iteration
...generate minimal reproduction
Lab environmentapproaches
create a VM and set up Puppet
clone the original machine
have a Vagrantor Docker file ready
etc.
All these are validbut possiblytoo expensive
Agent setups aresimple enoughbut masters are no fun
What withthe wholeSSL dance
Just run Puppet as a non-root user
Just kidding!Here's how it works
All Puppet data and configscan live in ~/.puppet/
...allowing shenanigans galore
Let's see itin action
Do these in .SHrc
GEM_HOME=~/gemsPATH=$PATH:$GEM_HOME/bin
Then just
> gem install puppet --version 3.7.5
How does it work?A quick overviewof Puppet's configuration.
$HOME is used courtesyof sensible default configs.
Take a look
> puppet master --configprint manifest/home/puppy/.puppet/manifests/site.pp
Find settings
> puppet master --configprint all \ | grep 'puppet\.conf'config = /home/puppy/.puppet/puppet.confconfig_file_name = puppet.conf
Get an overview
> puppet master --configprint all | less
...and go a little crazy
> puppet master --confdir /tmp \ --configprint manifest/tmp/manifests/site.pp
Cascading settings
There are two treesof path settingswith roots
→ confdir→ vardir
All other pathsare derived, e.g.
statefile = $statedir/state.yaml = $vardir/state/state.yaml
Both confdir and vardirare in ~/.puppet per default....execpt you are root or puppet
Speakingof defaults
The examples representversion 3.x behavior.Puppet 4 has similarbut different defaults.
Don't try thiswith 2.x
What thisall means
With these tools any usercan run a complete(WEBrick) master with CA.
The agent is limited.→ file as per permissions→ cron only for your jobs→ package works only with gems and similaretc.
All this holds truefor puppet apply as well.
A word on security
Will thisenablespoofing?
→ Master port is unprivileged.→ But user cannot get a signed master cert.
Only new agents are vulnerable
Make sure your masteralways keeps its port.
...or pre-share the CA cert.
...orAlwayspre-sharethe CA cert.
With Ruby applicationsthis is not quite intuitive.
Just calling
> ~/puppet-3.4.2/bin/puppet \ agent --test
will likely not do what you want.
Ever looked at bin/puppet?
#!/usr/bin/env rubybegin require 'puppet/util/command_line' Puppet::Util::CommandLine.new.execute rescue LoadError => e $stderr.puts e.message exit(1)end
Puppet relies on require logic.
Straight forward approach:Manipulate Ruby's LIBRARY_PATH
> ruby -e 'puts $:'/usr/lib/ruby/vendor_ruby/usr/lib/ruby/1.9.1...
> export RUBYLIB=~/puppet-3.4.2/lib> ruby -e 'puts $:'/home/puppy/puppet-3.4.2/lib/usr/lib/ruby/vendor_ruby/usr/lib/ruby/1.9.1...
This is rather fragileand cumbersome.
In fact, Gems can mess upthe library look-up andcause unpredictable results.
Arguably the best wayto manage installedgems and versions.
Synopsis:> cd path/to/git-clone> bundle install> bundle exec ...e.g.> bundle exec puppet master
Running from source:not only for hackers
Aside from idle tinkeringit allows contributingby triaging bugsand finding reproductions
We can runarbitrary manifestsand module setsfrom ~/.puppet
This works with> puppet master> puppet agent> puppet apply
Try arbitrary versionsof Puppet using gitand bundler
A word on my behalf
A word on your behalf
Let's not be a bunchof white dudes forever.
Thanks for listening!
Images
http://wallpaperscraft.com/download/line_background_brush_colorful_bright_60114/1366x768http://www.funnyjunk.com/funny_pictures/4162539/Mayonnaise+low/http://imgfave.com/view/3573521http://web.mit.edu/mtg/www/2005/FAL/Photos.htmlhttps://flic.kr/p/auyoK1http://novemberart.deviantart.com/art/Scientist-Cat-293594656http://www.angelfire.com/wv/otieandtanya/puppetry.htmlhttp://www.shopage.fr/?q=Finhttp://www.hlg.co.nz/building.phphttp://bashish.sourceforge.net/old/screenshots.htmlhttp://www.melablog.it/post/14719/apple-e-i-531-certiicati-ssl-diginotar-rubatihttp://www.hisbuildingblocks.com/2010_04_01_archive.htmlhttp://www.hollywoodisburning.com/2012/08/the-new-basis-of-power/http://odesk.ro/hackers-hack-online-anti-hacking-session/http://www.neebu.net/~khuon/gallery/misc/linux_nylug_booth