Skip to content

Latest commit

 

History

History
211 lines (175 loc) · 4.45 KB

readme.md

File metadata and controls

211 lines (175 loc) · 4.45 KB

Kitchen / Docker / Puppet

After several years trying to make its own configuration management tool, my company has decided to look at Puppetlabs. The model described is a hierarchical tree whose Role-Based Access Control1 will manage by Git hooks. This is the masterless mode was selected (no SPOF, thin control configuration applied to servers).

Fabric will surely be used to orchestrate the push to nodes.

Prerequisites

.
├── centos-6.6-dockerfile
├── Gemfile
├── hiera.yml
├── manifests
│   └── site.pp
├── Puppetfile
├── readme.md
└── test
    └── integration
        └── default
            ├── bats
            │   └── ntp_installed.bats
            └── serverspec
                └── ntp_daemon_spec.rb

Get cooking !

$> mkdir kitchen-docker-puppet-example
$> cd kitchen-docker-puppet-example
$> git init
$> kitchen init --driver=kitchen-docker --create-gemfile

Bring puppets !

...

$> echo 'gem "kitchen-puppet"' >> Gemfile
$> echo 'gem "puppet"' >> Gemfile
$> echo 'gem "librarian-puppet"' >> Gemfile

...

$> cat << FIN >> hiera.yml
:backends:
  - yaml
:yaml:
  :datadir: /var/lib/hiera
:hierarchy:
  - node/classes
  - origin/main
  - ntp
FIN

...

$> mkdir manifests
$> cat << FIN >> manifests/site.pp
#hiera_include('classes')
class { '::ntp':
  servers => [ '0.pool.ntp.org', '1.pool.ntp.org' ],
}
FIN

...

$> librarian-puppet init
$> cat << FIN >> Puppetfile
#!/usr/bin/env ruby
#^syntax detection

forge "https://forgeapi.puppetlabs.com"

# use dependencies defined in Modulefile
mod "puppetlabs-ntp"
mod 'puppetlabs-stdlib'
FIN

$> librarian-puppet install

Cook with container

...

$> cat << FIN >> centos-6.6-dockerfile
FROM centos:6.6
RUN yum clean all
RUN yum install -y sudo openssh-server openssh-clients which curl htop
RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
RUN mkdir -p /var/run/sshd
RUN useradd -d /home/kitchen -m -s /bin/bash cdelgehier
RUN echo kitchen:kitchen | chpasswd
RUN echo 'kitchen ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
FIN

Setup

Now we have to update the kitchen.yml file with puppet specific options from the kitchen-puppet gem See kitchen-puppet and provisioner options for details.

$> cat << FIN > .kitchen.yml
driver:
  name: docker

provisioner:
  name: puppet_apply
  manifests_path: manifests
  modules_path: modules
  hiera_data_path: hieradata
  #hiera_config_path: hiera.yml
  #resolve_with_librarian_puppet: true

platforms:
  - name: centos-latest
    driver_config:
      image: centos:latest
      platform: centos 
      use_cache: true
      dockerfile: centos-latest-dockerfile
      #socket: <%= ENV['DOCKER_HOST'] %>
  - name: centos-6.6
    driver_config:
      image: centos:6.6
      platform: centos 
      use_cache: true
      dockerfile: centos-6.6-dockerfile


suites:
  - name: default
    manifest: site.pp
FIN

Tests

$> install -d test/integration/default/bats
$> cat << FIN >> test/integration/default/bats/ntp_installed.bats
#!/usr/bin/env bats

@test "ntp rpm found" {
  run rpm -qa ntp
  [ "$status" -eq 0 ]
}
FIN
$> install -d test/integration/default/serverspec
$> cat << FIN >> test/integration/default/serverspec/ntp_daemon_spec.rb 
require 'serverspec'

# Required by serverspec
set :backend, :exec

describe package('ntp'), :if => os[:family] == 'redhat' do
  it { should be_installed }
end

describe file('/etc/ntp.conf') do
  it { should be_file }
  its(:content) { should match /server 0.pool.ntp.org prefer/ }
  its(:content) { should match /server 1.pool.ntp.org/ }
end

describe "Ntp Daemon" do
  it "has a running service of ntpd" do
    expect(service("ntpd")).to be_running
  end
end
FIN

Here We Go!

...

$> bundle install
$> kitchen list
$> kitchen converge default-centos-66
$> kitchen verify default-centos-66

Footnotes

  1. Role-Based Access Control is an approach to restricting system access to authorized users