SlideShare une entreprise Scribd logo

Workflow story: Theory versus practice in Large Enterprises

Puppet
Puppet

"Workflow story: Theory versus practice in Large Enterprises" by Marcin Piebiak of Linux Polska at Puppet Camp London 2013.

Technologie
1  sur  44
Télécharger pour lire hors ligne
Workflow story – theory versus practice in Large Enterprises Marcin Piebiak Solutions Architect Linux Polska Sp. z o.o. 1
What is it? ● Resources A lot of ready to use resources: • user • group • host • cron • exec • file • package • service • ... package { 'ssh': ensure => 'installed', name => 'openssh-server', } service { 'ssh': ensure => 'running', name => 'sshd', require => Package['ssh'], } • Resources are building blocks. • They can be combined to make larger components. • Together they can model the expected state of your system. 2
What is it? Resources ● Declarative language ● package { 'ssh': ensure => 'installed', name => 'openssh-server', } service { 'ssh': ensure => 'running', name => 'sshd', } Rather than listing a series of steps to carry out we can describe the desired final state only. 3
What is it? Resources ● Declarative language ● Abstraction ● package { 'ssh': ensure => 'installed', name => 'openssh-server', } root@debian ~]# apt-get install openssh-server root@redhat ~]# yum install openssh-server Resources in Puppet are abstracted from underlying providers. 4
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Puppet uses facter to gather information about the host system. root@redhat ~]# facter architecture => x86_64 domain => linuxpolska.pl facterversion => 1.5.2 fqdn => redhat.linuxpolska.pl hardwaremodel => x86_64 hostname => redhat interfaces => eth0 ipaddress => 172.16.10.1 kernel => Linux ... 5 Custom Facts Facter.add('role') do setcode do 'cat /etc/role' end end
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Puppet uses Hiera as its single source of truth data abstraction layer. $pkg_name = hiera('pkg_name') package { 'apache': ensure => 'installed', name => $pkg_name, } Hiera uses Facter facts to determine a hierarchy. 6 --:backends: - yaml :yaml: :datadir:/etc/hiera :hierarchy: - %{fqdn} - %{osfamily} - %{environment} - common
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● class ssh ( $pkg_name = 'openssh-server', $srv_name = 'sshd', ) { package { 'ssh': ensure => 'installed', name => $pkg_name, } } 7 service { ensure enable name require } 'ssh': => 'running', => 'true', => $srv_name, => Package['ssh'], Classes define a collection of resources that are managed together as a single unit.
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Classes are abstracted by modules: ssh ├── │ │ ├── │ └── manifests ├── init.pp └── server.pp files └── ssh_config templates └── sshd_config.erb Modules are directories that contain your configuration. They are designed to encapsulate all of the components related to a given configuration in a single folder hierarchy. 8
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● If a more complex deployment is needed, reusing existing classes saves effort and reduces error. 9
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● You own abstraction layers... Profiles: class profiles::application { include tomcat include mysql include myapp } class profiles::base { include ssh include ntp include users } Roles: class role::webapp { include profiles::base include profiles::customapp include profiles::test_tools } 10
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Supported OS 11
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Big environment – no problem Changes? base/ntp.yaml --ntp::local_servers: - 192.168.0.45 + - 192.168.0.1 12
What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Provisioning ● Orchestration ● Puppet Forge ● Live Management ● Environments ● Reporting ● Dry-run mode ● And more... VM/Cloud Provisioning Live Management Orchestration MCollective Environments Dry-run mode 13 Reporting Custom: - types & providers - facts - functions
What is it? Resources ● Declarative language Thanks to these all superior features, ● Abstraction Puppet is: ● Facts - fast in deployment ● Data separation - easy to use - universal for a lot of operating systems ● Reusable code ● Supports many OS - with unlimited possibilities ● Provisioning - easy to expand - flexible ● Orchestration ● Puppet Forge ● Live Management ● Environments ● Reporting ● Dry-run mode ● 14
In large enterprises like banks, telco, insurance, etc. those features are not the most relevant. Implementing Puppet in enterprises we must consider another priority map, another mindset. VS. We must answer not trivial questions dealing with the core IT Departments way of work. 15
So... everyone has access to everything?! VS. 16
So... can I destroy the whole infrastructure from one place? VS. 17
Solution Puppet master installation on hardened system with limited direct access. tcp:8140 RBAC tcp:443 tcp:22 ssh keys For maintenance. 18
Solution Release manager Pull request developer developer Fetch Git as a communication layer between developers and puppet master. 19 developer
So... everyone now must use puppet?! VS. 20
Developers Solution Systems administrators Databases administrators Security department On beginning each department can have own environments. 21
Each department can have many environments and its own idea how to organize work with puppet. Solution Security department Integrator Tests integrator dev test prod Release manager 22
Each department can have many environments and its own idea how to organize work with puppet. Solution Security department Integrator Tests integrator Release v0.1 v0.2 dev test prod commits 23 Release manager
Developers Solution Systems administrators Databases administrators integrator Security department After time some departments will start working together in one environment. 24
Developers Solution Systems administrators Databases administrators integrator Security department integrator 25
Developers Solution Systems administrators Databases administrators integrator Security department integrator At the end all departments will use one environment. 26
How can I find out who made what change and who approved this modification? VS. 27
Using git we have: ● date ● author ● description Solution commit 220938c5a2e51ecd4166eb7d75d14974cbcff897 Author: Marcin Piebiak <mpp@linuxpolska.pl> Date: Fri Jul 5 11:27:43 2013 +0200 Description.... Person who approved modifications. Release v0.1 dev test prod 28 v0.2 We can use git as a place for history of the infrastructure. ● git status ● git log ● git diff commits ● git blame Git history is cryptographically secured.
If I have a lot of environments how can I use them? VS. 29
Solution We can specify a set of environments for each host to use. Database testing system, uses three testing environments from different departments. tcp:8140 dev test prod 30
Great! But... using command line I can connect to different environments! VS. 31
Solution We use imp module, to control puppet agents behavior and their access to environments. puppet agent -t --environment tcp:8140 32
Solution puppet.conf [main] modulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules manifest = /etc/puppetlabs/manifests/site.pp [env_sec_prod] modulepath = /var/lib/git/env_sec_prod/modules:/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules [env_sec_test] modulepath = /var/lib/git/env_sec_test/modules:/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules /etc/puppetlabs/puppet/modules – place for modules from forge and well tested modules and module imp /var/lib/git/$environment/modules – git repository for environment /etc/puppetlabs/manifests/site.pp - common manifest for all environments imp.yaml site.pp include imp hiera_include('include') 33 --imp::environments: env_sec_prod: order: 'deny,allow' deny: 'all' allow: - 'host1.linuxpolska.lab' - 'www.*.linuxpolska.lab' commiters: - 'john.smith' priority: 1
How can I audit changes made in the infrastructure? VS. 34
Puppet reports Solution When nodes fetch their configurations from the puppet master, they send back inventory data and a report of their run. puppet reports Log collector and analyzer. 35
How can puppet help me with audit? How can I recreate life cycle of each host? VS. 36
Solution puppet reports ● puppet agents catalog ● hosts facts ● git diffs after commit ● hiera configuration for each host ● filebuckets ● ... ● Log collector and analyzer. 37
Solution file {'/etc/important': ensure => 'file', group => 'apache', mode => '0660', } app db file {'/etc/important': ensure => 'file', user => 'root', group => 'root', mode => '0600', } system security If we have many environment there is always risk of overwriting someone's changes. Log collector and analyzer. 38
How will the modification in puppet manifests affect the whole infrastructure? VS. 39
Solution Using log collector we can analyze the infrastructure modifications before they get to production environment. Report from puppet normal run. Report from puppet dry-run. v0.1 v0.2 dev test prod commits Log collector and analyzer. 40
All changes are made automatically? First I would like to see what is going to be changed. VS. 41
How can we rollback changes? VS. 42
After we install puppet will we know everything about the infrastructure? VS. 43
THE END Marcin Piebiak Solutions Architect Linux Polska Sp. z o.o. 44

Recommandé

Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemd
David Timothy Strauss
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
Sam Kim
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Software Packaging for Cross OS Distribution
Software Packaging for Cross OS DistributionSoftware Packaging for Cross OS Distribution
Software Packaging for Cross OS Distribution
Jian-Hong Pan
 
How to make a large C++-code base manageable
How to make a large C++-code base manageableHow to make a large C++-code base manageable
How to make a large C++-code base manageable
corehard_by
 
Making Your Capistrano Recipe Book
Making Your Capistrano Recipe BookMaking Your Capistrano Recipe Book
Making Your Capistrano Recipe Book
Tim Riley
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 

Recommandé

Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemd
David Timothy Strauss
 
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021Let's trace Linux Lernel with KGDB @ COSCUP 2021
Let's trace Linux Lernel with KGDB @ COSCUP 2021
Jian-Hong Pan
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
Sam Kim
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Software Packaging for Cross OS Distribution
Software Packaging for Cross OS DistributionSoftware Packaging for Cross OS Distribution
Software Packaging for Cross OS Distribution
Jian-Hong Pan
 
How to make a large C++-code base manageable
How to make a large C++-code base manageableHow to make a large C++-code base manageable
How to make a large C++-code base manageable
corehard_by
 
Making Your Capistrano Recipe Book
Making Your Capistrano Recipe BookMaking Your Capistrano Recipe Book
Making Your Capistrano Recipe Book
Tim Riley
 
A Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry PiA Journey to Boot Linux on Raspberry Pi
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
Mohammed Farrag
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
Mohammed Farrag
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
Sam Kim
 
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network library
Shuo Chen
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
Kevin Lo
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
Richard Lister
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
grim_radical
 
Zurg part 1
Zurg part 1Zurg part 1
Zurg part 1
Shuo Chen
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1
Susant Sahani
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
Sam Kim
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Jérôme Petazzoni
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Odoo command line interface
Odoo command line interfaceOdoo command line interface
Odoo command line interface
Jalal Zahid
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
Sam Kim
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
Sim Janghoon
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 Introduction
Mohammed Farrag
 
Using Puppet on Linux, Windows, and Mac OSX
Using Puppet on Linux, Windows, and Mac OSXUsing Puppet on Linux, Windows, and Mac OSX
Using Puppet on Linux, Windows, and Mac OSX
Puppet
 
Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with Puppet
Alessandro Franceschi
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 

Contenu connexe

Tendances

Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
Mohammed Farrag
 
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
Shuo Chen
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
Kevin Lo
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
grim_radical
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1
Susant Sahani
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
Sam Kim
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
Sim Janghoon
 

Tendances (20)

Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
 
Lecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports DevelopmentLecture 6 Kernel Debugging + Ports Development
Lecture 6 Kernel Debugging + Ports Development
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
Efficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ serverEfficient logging in multithreaded C++ server
Efficient logging in multithreaded C++ server
 
Muduo network library
Muduo network libraryMuduo network library
Muduo network library
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 
PuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into OperationsPuppetDB: Sneaking Clojure into Operations
PuppetDB: Sneaking Clojure into Operations
 
Zurg part 1
Zurg part 1Zurg part 1
Zurg part 1
 
Summit demystifying systemd1
Summit demystifying systemd1Summit demystifying systemd1
Summit demystifying systemd1
 
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
도커 없이 컨테이너 만들기 5편 마운트 네임스페이스와 오버레이 파일시스템
 
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
Cgroups, namespaces, and beyond: what are containers made from? (DockerCon Eu...
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxConAnatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
 
Odoo command line interface
Odoo command line interfaceOdoo command line interface
Odoo command line interface
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
Docker - container and lightweight virtualization
Docker - container and lightweight virtualization Docker - container and lightweight virtualization
Docker - container and lightweight virtualization
 
Lecture1 Introduction
Lecture1 IntroductionLecture1 Introduction
Lecture1 Introduction
 
Using Puppet on Linux, Windows, and Mac OSX
Using Puppet on Linux, Windows, and Mac OSXUsing Puppet on Linux, Windows, and Mac OSX
Using Puppet on Linux, Windows, and Mac OSX
 

Similaire à Workflow story: Theory versus practice in Large Enterprises

Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
OpenShift Origin
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)
DECK36
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
Gratien D'haese
 
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhereNew Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
Rodrique Heron
 

Similaire à Workflow story: Theory versus practice in Large Enterprises (20)

Developing IT infrastructures with Puppet
Developing IT infrastructures with PuppetDeveloping IT infrastructures with Puppet
Developing IT infrastructures with Puppet
 
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)Inspection and maintenance tools (Linux / OpenStack)
Inspection and maintenance tools (Linux / OpenStack)
 
Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)Our Puppet Story (Linuxtag 2014)
Our Puppet Story (Linuxtag 2014)
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Docker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12XDocker and Containers for Development and Deployment — SCALE12X
Docker and Containers for Development and Deployment — SCALE12X
 
Puppet quick start guide
Puppet quick start guidePuppet quick start guide
Puppet quick start guide
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
 
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @GuidewireIntroduction to Docker at SF Peninsula Software Development Meetup @Guidewire
Introduction to Docker at SF Peninsula Software Development Meetup @Guidewire
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhereNew Jersey Red Hat Users Group Presentation: Provisioning anywhere
New Jersey Red Hat Users Group Presentation: Provisioning anywhere
 
SCM Puppet: from an intro to the scaling
SCM Puppet: from an intro to the scalingSCM Puppet: from an intro to the scaling
SCM Puppet: from an intro to the scaling
 
#OktoCampus - Workshop : An introduction to Ansible
#OktoCampus - Workshop : An introduction to Ansible#OktoCampus - Workshop : An introduction to Ansible
#OktoCampus - Workshop : An introduction to Ansible
 
Using R on High Performance Computers
Using R on High Performance ComputersUsing R on High Performance Computers
Using R on High Performance Computers
 
Puppet for Developers
Puppet for DevelopersPuppet for Developers
Puppet for Developers
 
Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)Introduction to Docker (as presented at December 2013 Global Hackathon)
Introduction to Docker (as presented at December 2013 Global Hackathon)
 
A Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy SystemA Fabric/Puppet Build/Deploy System
A Fabric/Puppet Build/Deploy System
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
Portland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modulesPortland Puppet User Group June 2014: Writing and publishing puppet modules
Portland Puppet User Group June 2014: Writing and publishing puppet modules
 

Plus de Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

Plus de Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Dernier

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Dernier (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Workflow story: Theory versus practice in Large Enterprises

  • 1. Workflow story – theory versus practice in Large Enterprises Marcin Piebiak Solutions Architect Linux Polska Sp. z o.o. 1
  • 2. What is it? ● Resources A lot of ready to use resources: • user • group • host • cron • exec • file • package • service • ... package { 'ssh': ensure => 'installed', name => 'openssh-server', } service { 'ssh': ensure => 'running', name => 'sshd', require => Package['ssh'], } • Resources are building blocks. • They can be combined to make larger components. • Together they can model the expected state of your system. 2
  • 3. What is it? Resources ● Declarative language ● package { 'ssh': ensure => 'installed', name => 'openssh-server', } service { 'ssh': ensure => 'running', name => 'sshd', } Rather than listing a series of steps to carry out we can describe the desired final state only. 3
  • 4. What is it? Resources ● Declarative language ● Abstraction ● package { 'ssh': ensure => 'installed', name => 'openssh-server', } root@debian ~]# apt-get install openssh-server root@redhat ~]# yum install openssh-server Resources in Puppet are abstracted from underlying providers. 4
  • 5. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Puppet uses facter to gather information about the host system. root@redhat ~]# facter architecture => x86_64 domain => linuxpolska.pl facterversion => 1.5.2 fqdn => redhat.linuxpolska.pl hardwaremodel => x86_64 hostname => redhat interfaces => eth0 ipaddress => 172.16.10.1 kernel => Linux ... 5 Custom Facts Facter.add('role') do setcode do 'cat /etc/role' end end
  • 6. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Puppet uses Hiera as its single source of truth data abstraction layer. $pkg_name = hiera('pkg_name') package { 'apache': ensure => 'installed', name => $pkg_name, } Hiera uses Facter facts to determine a hierarchy. 6 --:backends: - yaml :yaml: :datadir:/etc/hiera :hierarchy: - %{fqdn} - %{osfamily} - %{environment} - common
  • 7. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● class ssh ( $pkg_name = 'openssh-server', $srv_name = 'sshd', ) { package { 'ssh': ensure => 'installed', name => $pkg_name, } } 7 service { ensure enable name require } 'ssh': => 'running', => 'true', => $srv_name, => Package['ssh'], Classes define a collection of resources that are managed together as a single unit.
  • 8. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Classes are abstracted by modules: ssh ├── │ │ ├── │ └── manifests ├── init.pp └── server.pp files └── ssh_config templates └── sshd_config.erb Modules are directories that contain your configuration. They are designed to encapsulate all of the components related to a given configuration in a single folder hierarchy. 8
  • 9. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● If a more complex deployment is needed, reusing existing classes saves effort and reduces error. 9
  • 10. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● You own abstraction layers... Profiles: class profiles::application { include tomcat include mysql include myapp } class profiles::base { include ssh include ntp include users } Roles: class role::webapp { include profiles::base include profiles::customapp include profiles::test_tools } 10
  • 11. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Supported OS 11
  • 12. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Big environment – no problem Changes? base/ntp.yaml --ntp::local_servers: - 192.168.0.45 + - 192.168.0.1 12
  • 13. What is it? Resources ● Declarative language ● Abstraction ● Facts ● Data separation ● Reusable code ● Supports many OS ● Provisioning ● Orchestration ● Puppet Forge ● Live Management ● Environments ● Reporting ● Dry-run mode ● And more... VM/Cloud Provisioning Live Management Orchestration MCollective Environments Dry-run mode 13 Reporting Custom: - types & providers - facts - functions
  • 14. What is it? Resources ● Declarative language Thanks to these all superior features, ● Abstraction Puppet is: ● Facts - fast in deployment ● Data separation - easy to use - universal for a lot of operating systems ● Reusable code ● Supports many OS - with unlimited possibilities ● Provisioning - easy to expand - flexible ● Orchestration ● Puppet Forge ● Live Management ● Environments ● Reporting ● Dry-run mode ● 14
  • 15. In large enterprises like banks, telco, insurance, etc. those features are not the most relevant. Implementing Puppet in enterprises we must consider another priority map, another mindset. VS. We must answer not trivial questions dealing with the core IT Departments way of work. 15
  • 16. So... everyone has access to everything?! VS. 16
  • 17. So... can I destroy the whole infrastructure from one place? VS. 17
  • 18. Solution Puppet master installation on hardened system with limited direct access. tcp:8140 RBAC tcp:443 tcp:22 ssh keys For maintenance. 18
  • 19. Solution Release manager Pull request developer developer Fetch Git as a communication layer between developers and puppet master. 19 developer
  • 20. So... everyone now must use puppet?! VS. 20
  • 22. Each department can have many environments and its own idea how to organize work with puppet. Solution Security department Integrator Tests integrator dev test prod Release manager 22
  • 23. Each department can have many environments and its own idea how to organize work with puppet. Solution Security department Integrator Tests integrator Release v0.1 v0.2 dev test prod commits 23 Release manager
  • 27. How can I find out who made what change and who approved this modification? VS. 27
  • 28. Using git we have: ● date ● author ● description Solution commit 220938c5a2e51ecd4166eb7d75d14974cbcff897 Author: Marcin Piebiak <mpp@linuxpolska.pl> Date: Fri Jul 5 11:27:43 2013 +0200 Description.... Person who approved modifications. Release v0.1 dev test prod 28 v0.2 We can use git as a place for history of the infrastructure. ● git status ● git log ● git diff commits ● git blame Git history is cryptographically secured.
  • 29. If I have a lot of environments how can I use them? VS. 29
  • 30. Solution We can specify a set of environments for each host to use. Database testing system, uses three testing environments from different departments. tcp:8140 dev test prod 30
  • 31. Great! But... using command line I can connect to different environments! VS. 31
  • 32. Solution We use imp module, to control puppet agents behavior and their access to environments. puppet agent -t --environment tcp:8140 32
  • 33. Solution puppet.conf [main] modulepath = /etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules manifest = /etc/puppetlabs/manifests/site.pp [env_sec_prod] modulepath = /var/lib/git/env_sec_prod/modules:/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules [env_sec_test] modulepath = /var/lib/git/env_sec_test/modules:/etc/puppetlabs/puppet/modules:/opt/puppet/share/puppet/modules /etc/puppetlabs/puppet/modules – place for modules from forge and well tested modules and module imp /var/lib/git/$environment/modules – git repository for environment /etc/puppetlabs/manifests/site.pp - common manifest for all environments imp.yaml site.pp include imp hiera_include('include') 33 --imp::environments: env_sec_prod: order: 'deny,allow' deny: 'all' allow: - 'host1.linuxpolska.lab' - 'www.*.linuxpolska.lab' commiters: - 'john.smith' priority: 1
  • 34. How can I audit changes made in the infrastructure? VS. 34
  • 35. Puppet reports Solution When nodes fetch their configurations from the puppet master, they send back inventory data and a report of their run. puppet reports Log collector and analyzer. 35
  • 36. How can puppet help me with audit? How can I recreate life cycle of each host? VS. 36
  • 37. Solution puppet reports ● puppet agents catalog ● hosts facts ● git diffs after commit ● hiera configuration for each host ● filebuckets ● ... ● Log collector and analyzer. 37
  • 38. Solution file {'/etc/important': ensure => 'file', group => 'apache', mode => '0660', } app db file {'/etc/important': ensure => 'file', user => 'root', group => 'root', mode => '0600', } system security If we have many environment there is always risk of overwriting someone's changes. Log collector and analyzer. 38
  • 39. How will the modification in puppet manifests affect the whole infrastructure? VS. 39
  • 40. Solution Using log collector we can analyze the infrastructure modifications before they get to production environment. Report from puppet normal run. Report from puppet dry-run. v0.1 v0.2 dev test prod commits Log collector and analyzer. 40
  • 41. All changes are made automatically? First I would like to see what is going to be changed. VS. 41
  • 42. How can we rollback changes? VS. 42
  • 43. After we install puppet will we know everything about the infrastructure? VS. 43
  • 44. THE END Marcin Piebiak Solutions Architect Linux Polska Sp. z o.o. 44