After several years trying to make its own configuration management tool, my company has decided to look at Puppetlabs. The model described is a hierarchical tree whose Role-Based Access Control1 will manage by Git hooks. This is the masterless mode was selected (no SPOF, thin control configuration applied to servers).
Fabric will surely be used to orchestrate the push to nodes.
- KitchenCI
- Ruby > 2.0
- Bundler
.
├── centos-6.6-dockerfile
├── Gemfile
├── hiera.yml
├── manifests
│ └── site.pp
├── Puppetfile
├── readme.md
└── test
└── integration
└── default
├── bats
│ └── ntp_installed.bats
└── serverspec
└── ntp_daemon_spec.rb
$> mkdir kitchen-docker-puppet-example
$> cd kitchen-docker-puppet-example
$> git init
$> kitchen init --driver=kitchen-docker --create-gemfile
...
$> echo 'gem "kitchen-puppet"' >> Gemfile
$> echo 'gem "puppet"' >> Gemfile
$> echo 'gem "librarian-puppet"' >> Gemfile
...
$> cat << FIN >> hiera.yml
:backends:
- yaml
:yaml:
:datadir: /var/lib/hiera
:hierarchy:
- node/classes
- origin/main
- ntp
FIN
...
$> mkdir manifests
$> cat << FIN >> manifests/site.pp
#hiera_include('classes')
class { '::ntp':
servers => [ '0.pool.ntp.org', '1.pool.ntp.org' ],
}
FIN
...
$> librarian-puppet init
$> cat << FIN >> Puppetfile
#!/usr/bin/env ruby
#^syntax detection
forge "https://forgeapi.puppetlabs.com"
# use dependencies defined in Modulefile
mod "puppetlabs-ntp"
mod 'puppetlabs-stdlib'
FIN
$> librarian-puppet install
...
$> cat << FIN >> centos-6.6-dockerfile
FROM centos:6.6
RUN yum clean all
RUN yum install -y sudo openssh-server openssh-clients which curl htop
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
RUN mkdir -p /var/run/sshd
RUN useradd -d /home/kitchen -m -s /bin/bash cdelgehier
RUN echo kitchen:kitchen | chpasswd
RUN echo 'kitchen ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
FIN
Now we have to update the kitchen.yml file with puppet specific options from the kitchen-puppet gem See kitchen-puppet and provisioner options for details.
$> cat << FIN > .kitchen.yml
driver:
name: docker
provisioner:
name: puppet_apply
manifests_path: manifests
modules_path: modules
hiera_data_path: hieradata
#hiera_config_path: hiera.yml
#resolve_with_librarian_puppet: true
platforms:
- name: centos-latest
driver_config:
image: centos:latest
platform: centos
use_cache: true
dockerfile: centos-latest-dockerfile
#socket: <%= ENV['DOCKER_HOST'] %>
- name: centos-6.6
driver_config:
image: centos:6.6
platform: centos
use_cache: true
dockerfile: centos-6.6-dockerfile
suites:
- name: default
manifest: site.pp
FIN
$> install -d test/integration/default/bats
$> cat << FIN >> test/integration/default/bats/ntp_installed.bats
#!/usr/bin/env bats
@test "ntp rpm found" {
run rpm -qa ntp
[ "$status" -eq 0 ]
}
FIN
$> install -d test/integration/default/serverspec
$> cat << FIN >> test/integration/default/serverspec/ntp_daemon_spec.rb
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe package('ntp'), :if => os[:family] == 'redhat' do
it { should be_installed }
end
describe file('/etc/ntp.conf') do
it { should be_file }
its(:content) { should match /server 0.pool.ntp.org prefer/ }
its(:content) { should match /server 1.pool.ntp.org/ }
end
describe "Ntp Daemon" do
it "has a running service of ntpd" do
expect(service("ntpd")).to be_running
end
end
FIN
...
$> bundle install
$> kitchen list
$> kitchen converge default-centos-66
$> kitchen verify default-centos-66
Footnotes
-
Role-Based Access Control is an approach to restricting system access to authorized users ↩