{"id":165,"date":"2018-11-27T15:36:45","date_gmt":"2018-11-27T15:36:45","guid":{"rendered":"https:\/\/patryk.rzski.com\/?p=165"},"modified":"2018-11-29T14:08:33","modified_gmt":"2018-11-29T14:08:33","slug":"puppet-git-docker-in-devops-a-simple-yet-powerful-workflow","status":"publish","type":"post","link":"https:\/\/patryk.rzski.com\/?p=165","title":{"rendered":"Puppet, Git, Docker in DevOps – a simple yet powerful workflow"},"content":{"rendered":"

In this article I’ll briefly describe how I’m managing my code (configs, scripts, etc.) between my workstation and my virtual private server playground. I will try to point out where I’m using simple solutions instead of enterprise-appropriate ones.<\/p>\n

To automate the workflow, I am using:<\/p>\n

  • Docker<\/strong> – to run services in sandboxed networks, without their dependencies<\/li>\n
  • Git<\/strong> – for proper version control of my code<\/li>\n
  • Cronie<\/strong> – for simple (cronie is a light weight cron implementation) scheduling (with enterprise alternatives)<\/li>\n
  • Puppet<\/strong> – for file orchestration and integrity monitoring<\/li>\n

    First of all, I need a code repository with the ability to control versions and to review commits. Git seems the most appropriate as it is easy to configure and is available by default in my Linux distribution (Gentoo<\/a>). It is also available in more common enterprise Linux choices, like RHEL, SLES or Debian.
    \nIt is highly recommended to generate a key pair to use key-based authentication with the Git server, or to be precise – with the ssh daemon running there. Use ssh-keygen<\/em> to generate the key pair (comes with the openssh package). From there, copy the public key (the one ending in .pub) and place it in Git user’s ~\/.ssh\/authorized_keys.
    \n
    \nSince there’s plenty of guides available about setting up a Git repository, I will not describe this in detail here. What I did briefly was a –bare init<\/em> for configs.git and scripts.git on the server, while on the client side, I’ve added two remotes over ssh with a custom port:
    \n
    \ngit remote add ssh:\/\/git@rzski.com:9999\/path\/to\/configs.git
    \ngit remote add ssh:\/\/git@rzski.com:9999\/path\/to\/scripts.git
    \n<\/code>
    \nThis allowed me to push all my files after aggregating their copies in one directory, and then pull it on my workstation. Now I can edit files locally and push them to the central repository on the server:
    \n
    \n% echo \"# End of file\" >> configs\/ntpd\/ntp.conf
    \n% git add configs\/ntpd\/ntp.conf
    \n% git commit -m \"configs: for the purpose of the article\"
    \n[master 3a26138] configs: for the purpose of the article
    \n 1 file changed, 1 insertion(+)
    \n% git push configs master
    \nEnumerating objects: 16, done.
    \nCounting objects: 100% (16\/16), done.
    \nDelta compression using up to 8 threads
    \nCompressing objects: 100% (9\/9), done.
    \nWriting objects: 100% (11\/11), 1.29 KiB | 1.29 MiB\/s, done.
    \nTotal 11 (delta 3), reused 0 (delta 0)
    \nTo ssh:\/\/rzski.com:9999\/path\/to\/configs.git
    \n c5858d0..3a26138 master -> configs<\/code>
    \n
    \nTime to set up Puppet to grab the files from the Git repository and push them to chosen environments. For simplicity, I’m using a single environment (production) here. Puppet needs a server (master) and an agent to provide the file orchestration and integrity monitoring functionality. It also needs a connector to grab files from Git and use them as source for modules. There are many ways to integrate Git and Puppet, such as:<\/p>\n

  • Puppet Enterprise (PE) + PE Code Manager (obsoleting or r10k)<\/li>\n
  • Puppet Enterprise (PE) + PE Bolt running scripts<\/li>\n
  • git pull<\/em> command scheduled to run in the Puppet external mount every minute (or so) by cronie<\/li>\n

    I went with the last approach, but it is probably least appropriate for enterprise or production environments. For me this was suitable, since I’ve decided to install the puppet-agent (no dependencies) from portage (Gentoo’s package manager), but have the master and the pdk run as Docker containers:
    \n
    \ndocker pull puppet\/puppetserver-standalone
    \ndocker pull terzom\/pdk<\/code><\/p>\n

    Running the Puppet master from a Docker container is very convenient. The images are tiny. I have created a \/30 network for just the master and the agent to operate in:
    \n
    \ndocker network create --internal --subnet=192.168.123.0\/30 --gateway 192.168.123.1 puppet-nw
    \ndocker run --name puppetmstr --hostname puppetmstr --network puppet-nw -d -v \/work\/puppetlabs:\/etc\/puppetlabs puppet\/puppetserver-standalone<\/code><\/p>\n

    Gladly, the pdk can be run in “disposable” mode (like the ansible container, if you decide to use it) and bind storage to the same config path as the master:
    \n
    \ndocker run --rm -it -v \/work\/puppetlabs:\/etc\/puppetlabs terzom\/pdk
    \n<\/code>
    \nThen run pdk to generate templates for a new module. A module is the recommended organizational unit of which files Puppet should control. In most cases people seem to start with NTP as a good, simple example. I’m skipping the interview since I’m not planning to open-source my configs \ud83d\ude09
    \n
    \npdk new module ntp --skip-interview
    \n<\/code><\/p>\n

    This generates the schema for the ntp module. Meanwhile, the server needs to be configured to accept connections from the agent (plenty of guides online, I’ll jump over this part) and become authorized to grab files from a clone of the central repo.<\/p>\n

    To set up the repo:
    \n
    \ncd \/work\/puppetlabs\/files;
    \ngit init;
    \ngit clone ssh:\/\/git@rzski.com:9999\/path\/to\/configs.git
    \nchown -R puppet:puppet configs\/
    \n<\/code>
    \nGOTCHA: all files and folders in the Puppet config as well as cloned from the Git repository need to match the UID and GID used by the Puppet master in the container<\/strong>. Matching the username and group name is not enough, since these are mapped in \/etc\/passwd and \/etc\/group respectively and can have varying octals. Matching them between the host and the container is apparently the recommended approach.
    \n
    \nThe Puppet master needs to know the location of the central repository pulled from Git. In the below example, I am configuring this directory as a Puppet mount point:
    \n
    \n# cat \/work\/puppetlabs\/puppet\/fileserver.conf
    \n[files]
    \n path \/etc\/puppetlabs\/files
    \n allow 192.168.123.0\/30<\/code>
    \n
    \n[configs]
    \n path \/etc\/puppetlabs\/files\/configs
    \n allow 192.168.123.0\/30
    \n<\/code>
    \nNote the paths refer to \/etc rather than \/work, since that’s how the master running from within the container will see them.
    \nTo configure authorizing the server to access this mount (although it should be enabled by default, I’d rather cut it down to just the participants of my puppet-nw network), the following regexp stanzas are needed (use docker attach puppetmstr<\/em> to hook into the running Puppet master and see how it handles these paths as agents try to connect to it):
    \n
    \n# cat \/work\/puppetlabs\/puppet\/auth.conf
    \n(...)
    \n# Authorization for serving files from the Git repo
    \npath ~ ^\/file_(metadata|content)s?\/configs\/
    \nmethod find
    \nallow 192.168.123.0\/30
    \npath ~ ^\/file_(metadata|content)s?\/files\/configs\/
    \nmethod find
    \nallow 192.168.123.0\/30
    \n(...)
    \n<\/code><\/p>\n

    Now each time I want to link a file in the central repo with a file in production, be it a script, config, or source code, I need to generate a module for it. Inside each such module, I’m defining a config class to manage the actual config file. The rest of the module code has been pre-populated by pdk<\/em>.
    \n
    \n# cat \/work\/puppetlabs\/code\/modules\/ntp\/manifests\/config.pp <\/p>\n

    # ntp::config
    \n#
    \n# A description of what this class does
    \n#
    \n# @summary A short summary of the purpose of this class
    \n#
    \n# @example
    \n# include ntp::config
    \nclass ntp::config {
    \n file { \"ntp.conf\" :
    \n path => \"\/etc\/ntp.conf\",
    \n owner => \"root\",
    \n group => \"root\",
    \n mode => \"0644\",
    \n source => \"puppet:\/\/\/configs\/ntpd\/ntp.conf\",
    \n }
    \n}<\/code>
    \nIn the above example, the source is defined as Puppet’s fileserver relative location, mount name equals “configs”, and the path is set to ntpd\/ntp.conf to match the config file location in the central config repository pulled from Git.
    \n
    \nThe Puppet master also needs to know on which nodes (servers) it should manage these config files. In this case, the management happens in the production environment, on the VPS hosting the Puppet master container only – rzski.com<\/strong> (hostname is picked from the host’s \/etc\/hosts):
    \n
    \n# cat \/work\/puppetlabs\/code\/environments\/production\/manifests\/site.pp
    \nnode \"rzski.com\" {
    \n include ntp::config
    \n}<\/code>
    \nThe above two steps (class definition with the correct path and the site.pp class reference per node) would have to be repeated for every module (set of config files or single files or scripts).<\/p>\n

    To verify the configs are shared, run the local Puppet binary testing the agent mode:
    \n
    \n# puppet agent -t
    \nInfo: Using configured environment 'production'
    \nInfo: Retrieving pluginfacts
    \nInfo: Retrieving plugin
    \nInfo: Retrieving locales
    \nInfo: Caching catalog for rzski.com
    \nInfo: Applying configuration version '1543335030'
    \nNotice: Applied catalog in 0.05 seconds
    \n<\/code>
    \nAnd to observe the change commited by appending a comment to the end of the ntp.conf file:
    \n
    \n# tail \/var\/log\/puppetlabs\/puppet\/puppet.log
    \npuppet-agent[18560]: Applied catalog in 0.05 seconds
    \npuppet-agent[18728]: (\/Stage[main]\/Ntp::Config\/File[ntp.conf]\/content) content changed '{md5}96db7670882085ea77ce9b5fa14dc46f' to '{md5}06f8cea8589b23e43dcea88cce5ac8ea
    \n<\/code><\/p>\n

    Finally, to “sync” between the Git repo and the Puppet repo, cron can call git pull<\/em> every minute (as described above, optionally that can land in a small shell script). Either switch user to ‘puppet’ and clone (su – puppet -c “git clone…”<\/em>, but this requires giving the puppet user a valid shell, which is not ideal), or just pull && chown.<\/p>\n

    To go further from here, I can also execute a command (using Bolt for agentless approach, or a shell script) to, for example, push my Solidity code into my Docker container running Geth Ethereum node. Let’s say I’ve pushed the file from the workstation and accepted the commit. Once the new version gets cloned into the Puppet repo, run docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH<\/em>. Then, to register the ABI and, if required, compile, I can chain another task calling docker exec container_name command<\/em> and collect the outputs. But that’s material for another article \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"

    In this article I’ll briefly describe how I’m managing my code (configs, scripts, etc.) between my workstation and my virtual private server playground. I will try to point out where I’m using simple solutions instead of enterprise-appropriate ones. To automate the workflow, I am using: Docker – to run services in sandboxed networks, without their […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/posts\/165"}],"collection":[{"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=165"}],"version-history":[{"count":18,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/posts\/165\/revisions"}],"predecessor-version":[{"id":183,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=\/wp\/v2\/posts\/165\/revisions\/183"}],"wp:attachment":[{"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=165"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=165"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/patryk.rzski.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=165"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}