puppet camp seattle 2014: puppet: cloud infrastructure as code
DESCRIPTION
AndTRANSCRIPT
Cloud Infrastructure
as Code
Andrew Parker
Puppet Labs
@aparker42
In 1889
Tickets please
Eureka !
Herman's Invention
Herman, grows a Mustache
The Tabulating Machine
Automation makes IT better!
Puppet
A language and infrastructure
Puppet Resources
• Describes the desired configuration state of
individual elements of the system being
managed
user { 'henrik': # A user named 'henrik'
ensure => present, # should exist
shell => '/bin/bash' # with this shell
}
Puppet Resources
package{ 'apache2': # A packaged named 'apache2'
ensure => present # should be installed
}
Puppet Language
• The Puppet Language has constructs to
– compose sets of resources into classes
– define order of operations on resources
– define custom resources
Common Pattern; Package, File,
Service
class webserver {
package{ 'apache2':
ensure => present
}
file { '/etc/apache2/apache2.conf':
content => template('apache2/apache2.erb'),
require => Package['apache2']
}
service { 'apache2':
ensure => running,
subscribe => File['/etc/apache2/apache2.conf']
}
}
Presto – a Web Server
• Now we can build a webserver with this:
node kermit.example.com {
include webserver
}
Infra == Code == Text
Infra == Code == Text
Infra == Code == Text
Cloud Infrastructure
(as Code)
Turtles All The Way Down
Turtles All The Way Down
Cloud
Google Compute Engine
• Express infrastructure as
– VM Instances
– Networks
– Firewalls
– Disks
Build your own?
puppet module install puppetlabs-gce_compute
A Disk
gce_disk { 'mydisk':
ensure => present,
size_gb => '2'
}
A Network
gce_network { 'mynetwork':
ensure => present,
gateway => '10.0.1.1',
range => '10.0.1.0/24'
}
An Instance
gce_instance { 'myinstance':
ensure => present,
zone => 'us-central1-a',
machine => 'n1-standard-1',
image => "${images}/ubuntu-12-04-v20120621"
}
New Pattern; Network, Firewall,
(Disk), Instance
class app_stack {
gce_network { 'appnet':
ensure => present,
range => '10.0.1.0/24'
} ->
gce_firewall { 'webhttp':
ensure => present,
allow => 'tcp:80',
network => 'appnet'
} ->
gce_instance { 'server1':
ensure => present,
network => 'appnet'
}
}
Turtles All The Way Down
Application
Cloud
Modules & Classes
gce_instance { 'myinstance':
ensure => present,
. . .
modules => [ 'puppetlabs-mysql',
'martasd/mediawiki',
. . .
],
enc_classes => {
mediawiki => {server_name => "$gce_external_ip"}
}
}
Turtles All The Way Down
Puppet
Cloud
Setting up a master
gce_instance { 'pe-master':
ensure => present,
. . .
startupscript => ‘puppet-enterprise.sh’,
metadata => {
‘pe_role’ => ‘master’, ‘pe_version’ => ‘3.6.1’ }
}
gce_instance { ‘agent-1’:
ensure => present,
. . .
startupscript => ‘puppet-enterprise.sh’,
metadata => {
‘pe_role’ => ‘agent’, ‘pe_version’ => ‘3.6.1’,
‘pe_master’ => ‘pe-master’ }
}
Turtles All The Way Down
Application
Puppet
Cloud
Security 90s Style
Master
Agent
Agent
Autosign# Whether (and how) to autosign certificate requests.
# This setting
# is only relevant on a puppet master acting as a
# certificate authority (CA).
#
# Valid values are true (autosigns all certificate
# requests; not recommended),
# false (disables autosigning certificates), or the
# absolute path to a file.
[master]
autosign = true
Autosign# Whether (and how) to autosign certificate requests.
# This setting
# is only relevant on a puppet master acting as a
# certificate authority (CA).
#
# Valid values are true (autosigns all certificate
# requests; not recommended),
# false (disables autosigning certificates), or the
# absolute path to a file.
[master]
autosign = $confdir/autosign.conf
Autosign# Whether (and how) to autosign certificate requests.
# This setting
# is only relevant on a puppet master acting as a
# certificate authority (CA).
#
# Valid values are true (autosigns all certificate
# requests; not recommended),
# false (disables autosigning certificates), or the
# absolute path to a file.
[master]
autosign = $confdir/my_autosign
trusted_node_data = true
[agent]
csr_attributes = $confdir/csr_attributes.yaml
Autosign
# Produce attributes for the csr based on instance
metadata
MD="http://metadata/computeMetadata/v1/instance"
INSTANCE=$(curl -fs -H "Metadata-Flavor: Google"
$MD/zone)
NAME=$(curl -fs -H "Metadata-Flavor: Google"
$MD/attributes/puppet_instancename)
UUID=$(curl -fs -H "Metadata-Flavor: Google" $MD/id)
cat > $PUPPET_DIR/csr_attributes.yaml <<END
custom_attributes:
Autosign
# Produce attributes for the csr based on instance
metadata
MD="http://metadata/computeMetadata/v1/instance"
INSTANCE=$(curl -fs -H "Metadata-Flavor: Google"
$MD/zone)
NAME=$(curl -fs -H "Metadata-Flavor: Google"
$MD/attributes/puppet_instancename)
UUID=$(curl -fs -H "Metadata-Flavor: Google" $MD/id)
cat > $PUPPET_DIR/csr_attributes.yaml <<END
custom_attributes:
Trust your data
Master Agent
CSR
Certificate
Facts/Certificate
Catalog
Why do this?
• How fast can you change?
• How frequent?
• At what cost?
• What is your level of automation?
So what became of Herman Hollerith?
So what became of Herman Hollerith?
So what became of Herman Hollerith?
Questions ?
Puppetize!