Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Genève 23 Switzerland t Experiences running a production Puppet Ben Jones HEPiX Bologna Spring.

Published byRandolph Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Genève 23 Switzerland t Experiences running a production Puppet Ben Jones HEPiX Bologna Spring."— Presentation transcript:

1 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Experiences running a production Puppet infrastructure @CERN Ben Jones HEPiX Bologna Spring 2013

2 Infrastructure Foreman – kickstart, ENC, report visualisation Multiple puppet masters – load balanced (simple for now) PuppetDB – stored configs, complex manifests, data mining hiera data separation CERN CA git managed manifests – split into “modules”, “hostgroups”, “hieradata” Puppet in production - 2

3 Production service Customers running production services using the infra – openstack, cvmfs, lxplus – modules appearing for bddi, MyProxy, glexec WN, argus, voms, castor Plant still modest but increasing – ~1350 clients, 2/3 physical – numbers will change soon as batch comes online Lots of changes in this year due to production experience Puppet in production - 3

4 Don’t turn your computer centre into a giant DDOS machine Puppet in production - 4

5 Facter Facter a great tool to abstract common information for a machine – virtual fact good example of hidden complexity (180 loc) Unlike what we were used to in Quattor, machine facts can inform configuration Custom facts are simple to write… too simple! – LANDB integration for location, network info, owner etc – 1000s of clients * short runinterval == unhappy LANDB Solutions: cache or use masters – cache directly in facter code or wait for facter 2.0 – use custom functions Puppet in production - 5

6 Decide on one entry point to apply configuration Puppet in production - 6

7 the foreman Foreman useful tool for many tasks – provisioning (physical and virtual) – configuration (ENC) – monitoring (reports) Important to consider extent to use the ENC Environment best defined by ENC – no choice anyway in puppet 3 Hostgroups essential in ENC – hostgroups similar to quattor clusters castor/server/diskserver/atlas/t0atlas – hiera data assigned to hostgroup, so machine cannot assert membership Puppet in production - 7

8 foreman classes Puppet in production - 8

9 module imports We switched off foreman classes. History of changes not in git Either no parameters, or class{} declarations – most non-trivial modules require some parameters Class / environment import takes time Nested hostgroup module definition was useful – we implemented a puppet include_if_exists (on github) – hostgroup module tree included if in hierarchy – castor/headnode/c2repack hostgroup would load: hostgroups/hg_castor/manifests/init.pp hostgroups/hg_castor/manifests/headnode/c2repack.pp Puppet in production - 9

10 Don’t let your machines become time travellers. Puppet in production - 10

11 Compile process Facts Facts received from node ENC Node info from the ENC, cache result. Catalog Combine facts, enc data & config, compile catalog. Puppet in production - 11

12 Stale definitions With multiple puppet masters, if foreman is unavailable the cache can be stale depending on which master contacted. A change of hostgroup or environment can be painful Obvious answer to not cache, or to share / update cache Lesson is components are horizontally scalable, but not always case that this is robust Puppet in production - 12

13 Try not to make all your secrets public Puppet in production - 13

14 PuppetDB Collects facts & catalogs generated by puppet Supports exported resources & inventory service Can be directly queried in manifests – github.com/dalen/puppetdbquery Wider ad-hoc usage useful – git hooks – “who’s using X” Dangerous! – /commands – “secret” data Puppet in production - 14

15 PuppetDB proxy Whitelist traffic from puppet masters & lb Refuse all /commands/ from load balancers Use resource tags to filter “secrets” { "parameters" : { "entry" : "egroup", "k5file" : "/root/.k5login”,}, "sourceline" : 54, "sourcefile" : "/etc/puppet/environments/bejones/modules/kerberos/manifests/config.pp", "exported" : false, "tags" : [ "config", "k5entry", "ai-admins", "kerberos::k5entry", "base", "class", "kerberos", "kerberos::config" ], "title" : "ai-admins", "type" : "Kerberos::K5entry”, "certname" : "benvm01.cern.ch" } Puppet in production - 15

16 git workflow is easy to get wrong Puppet in production - 16

17 git workflow puppet “dynamic environments” – puppet masters pull git repositories, create environment per branch – foreman imports environment list Managed branches for majority – production (master) – devel Topic branches should be easy to create Don’t allow non fast-forward updates to managed branches – obviously, who would forget to do that? Puppet in production - 17

18 git workflow Goal is to get safe changes applied as quickly as possible Only cherry-picked signed off changes to master Fast track for low impact one-module changes, hostgroup & hiera More involvement from core team for complex changes Future plans to use CI to streamline – bamboo (or similar) for system tests – canary machines Puppet in production - 18

19 Community “We’re not special” https://github.com/cernops Fork where necessary but always try to return to mainstream Would welcome more involvement from HEPiX sites on common problems Puppet in production - 19

Download ppt "CERN IT Department CH-1211 Genève 23 Switzerland t Experiences running a production Puppet Ben Jones HEPiX Bologna Spring."

Similar presentations

Focus on Your Content, Not on Ingesting Your Content Terry Brady Applications Programmer Analyst Georgetown University Library https://github.com/organizations/Georgetown-University-Libraries.

Focus on Your Content, Not on Ingesting Your Content Terry Brady Applications Programmer Analyst Georgetown University Library
Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.

Tier-1 Evolution and Futures GridPP 29, Oxford Ian Collier September 27 th 2012.
About Me CTO, Individual Digital, Inc. (Startup) Author of ext/tidy, PHP 5 Unleashed, Zend Ent. PHP Patterns

About Me CTO, Individual Digital, Inc. (Startup) Author of ext/tidy, PHP 5 Unleashed, Zend Ent. PHP Patterns
Paperless Online Payroll, Integrated HR & Report Generating System.

Paperless Online Payroll, Integrated HR & Report Generating System.
Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.

Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.
Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2002 Tutorial 13 Web Caching Protocols ICP, CARP.
Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t DBCF GT Simplifying Configuration Ricardo Rocha ( on behalf of the LCGDM.

Grid Technology CERN IT Department CH-1211 Geneva 23 Switzerland t DBCF GT Simplifying Configuration Ricardo Rocha ( on behalf of the LCGDM.
CERN - IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Service-Now UDS training [Jan 2011] - 1 Service-now training for UDS Service-now training.

CERN - IT Department CH-1211 Genève 23 Switzerland t Service-Now UDS training [Jan 2011] - 1 Service-now training for UDS Service-now training.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Integrating Lemon Monitoring and Alarming System with the new CERN Agile Infrastructure.

CERN IT Department CH-1211 Genève 23 Switzerland t Integrating Lemon Monitoring and Alarming System with the new CERN Agile Infrastructure.
CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT ONE CLICK DELIVERY.

CONTINUOUS INTEGRATION, DELIVERY & DEPLOYMENT ONE CLICK DELIVERY.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Getting to Push Button Deploys Moovweb January 19, 2012.

Getting to Push Button Deploys Moovweb January 19, 2012.
Christopher Jeffers August 2012

Christopher Jeffers August 2012
Tools and software process for the FLP prototype B. von Haller 9. June 2015 CERN.

Tools and software process for the FLP prototype B. von Haller 9. June 2015 CERN.
CERN - IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.

CERN - IT Department CH-1211 Genève 23 Switzerland t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.
AI project components: Facter and Hiera

AI project components: Facter and Hiera
Puppet with vSphere Workshop Install, configure and use Puppet on your laptop for vSphere DevOps Billy Lieberman August 1, 2015.

Puppet with vSphere Workshop Install, configure and use Puppet on your laptop for vSphere DevOps Billy Lieberman August 1, 2015.
The Art and Zen of Managing Nagios with Puppet Michael Merideth - VictorOps

The Art and Zen of Managing Nagios with Puppet Michael Merideth - VictorOps
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Internet Services Job Monitoring for the LHC experiments Irina Sidorova (CERN, JINR) on.

CERN IT Department CH-1211 Genève 23 Switzerland t Internet Services Job Monitoring for the LHC experiments Irina Sidorova (CERN, JINR) on.
Towards Low Overhead Provenance Tracking in Near Real-Time Stream Filtering Nithya N. Vijayakumar, Beth Plale DDE Lab, Indiana University {nvijayak,

Towards Low Overhead Provenance Tracking in Near Real-Time Stream Filtering Nithya N. Vijayakumar, Beth Plale DDE Lab, Indiana University {nvijayak,

Similar presentations

Ads by Google