Exiting Vacuum: Integrating Configuration Management into your Ecosystem

Transcript

1. EXITING VACUUM INTEGRATING CONFIGURATION MANAGEMENT Sascha Bates Opscode Wednesday, October

   2, 13

2. blog.brattyredhead.com Twin Cities Infracoders Meetup @sascha_d The Ship Show Podcast

   sascha bates Wednesday, October 2, 13

3. credentials? In love with CM since 2010 Curating developer happiness

   even longer Wednesday, October 2, 13

4. Wednesday, October 2, 13

5. A tool is just a tool Wednesday, October 2, 13

6. it’s what you do with it that matters Wednesday, October

   2, 13

7. WHY AM I HERE? Wednesday, October 2, 13

8. I mess things up so you don’t have to Wednesday,

   October 2, 13

9. Wasn’t it awesome when it took 3-6 weeks to get

   a dev server and you got to share it with 60 other people? - nobody ever Wednesday, October 2, 13

10. This Never Happens wrong database connection string deployed to prod

    smtp server fixed by hand and forgotten test apache server with special configs ssh keys pushed by hand Wednesday, October 2, 13

11. configuration management defines and idempotently enforces system state across infrastructure

    components Wednesday, October 2, 13

12. freedom not bondage Wednesday, October 2, 13

13. confidence Wednesday, October 2, 13

14. Configuration Management is NOT a magic rainbow pixie dusted unicorn

    coming to save you Wednesday, October 2, 13

15. Wednesday, October 2, 13

16. where do you stand? Wednesday, October 2, 13

17. Wednesday, October 2, 13

18. if I’m really quiet Wednesday, October 2, 13

19. Wednesday, October 2, 13

20. you find yourself... in a maze of twisty little passages

    all alike Wednesday, October 2, 13

21. Map the Journey Infrastructure Greenfielding and Brownfielding A Balanced Ecosystem

    Practical CM Wednesday, October 2, 13

22. Infrastructure who cares? Wednesday, October 2, 13

23. In a perfect universe Provision Identically the brains behind your

    servers Wednesday, October 2, 13

24. In a perfect universe One deployment process to rule them

    all because deployments are complicated enough Wednesday, October 2, 13

25. In a perfect universe Repositories for all OS packages yum

    install tomcat trumps curl -o http://some-tomcat-url tar -xvf tomcat.gz Wednesday, October 2, 13

26. In a perfect universe Hands-off the servers! this guy again

    Wednesday, October 2, 13

27. Getting Started making mud pies Wednesday, October 2, 13

28. Infrastructure Crafting Server Provisioning Wednesday, October 2, 13

29. Infrastructure Crafting App Layer Configuration keep configuration data separate from

    code different configs in different environments deployments controlled by different teams Wednesday, October 2, 13

30. Infrastructure Crafting Dynamic Discovery Across Tiers application instances noticed by

    web instances noticed by load balancer configs Wednesday, October 2, 13

31. Infrastructure Crafting Workstation Automation make onboarding a fast happy process

    eliminate stale epic-length wiki pages Wednesday, October 2, 13

32. Infrastructure Crafting Superior Local Testing vagrant virtualbox/ec2/vmware chef/puppet/ansible Wednesday, October

    2, 13

33. Infrastructure Crafting Beef Up Your Pipeline Jenkins + Configuration Management

    = powa bootstrap/deploy automated integration/functional testing ftw Wednesday, October 2, 13

34. Getting Started don’t do this Wednesday, October 2, 13

35. Pick a Sane Use Case don’t try to automate the

    world small achievable measurable impactful Wednesday, October 2, 13

36. Pick a Sane Use Case stay agile and visible demo

    your impactful automation show time/frustration saved Wednesday, October 2, 13

37. Keep an Open Mind “because we’ve always done it that

    way” is no longer acceptable Wednesday, October 2, 13

38. Refactoring Happens Wednesday, October 2, 13

39. Brownfielding your biggest challenge is people Wednesday, October 2, 13

40. Brownfielding coloring inside the lines Wednesday, October 2, 13

41. Brownfielding collaborating legacy apps have possessive owners be inclusive, ask

    questions listen when they tell you what will work mute criticism Wednesday, October 2, 13

42. A Balanced Ecosystem automation can’t live in a vacuum Wednesday,

    October 2, 13

43. a package manager a package repository a substitute for version

    control Configuration Management is not Wednesday, October 2, 13

44. package repos configuration management A Balanced Ecosystem Package Repos insert

    package repository rant here Wednesday, October 2, 13

45. configuration management code is CODE put it where it belongs

    A Balanced Ecosystem Version Control Wednesday, October 2, 13

46. A Balanced Ecosystem Build Tools Wednesday, October 2, 13

47. A Balanced Ecosystem Virtualization Wednesday, October 2, 13

48. Practical CM testing you can write tests for CM unit

    testing w/rspec functional/integration testing with minitest/bats Wednesday, October 2, 13

49. Practical CM dependency resolution Librarian for both Puppet and Chef

    Berkshelf for Chef There could be others Wednesday, October 2, 13

50. Practical CM primitives Wednesday, October 2, 13

51. Practical CM primitives file, user, package, template, directory built-in idempotence

    readability operating system cross-functionality Wednesday, October 2, 13

52. Practical CM exec blocks Wednesday, October 2, 13

53. Practical CM exec vs primitives bash ‘install_my_package’ do command “yum

    -y install my_package” end NEVER DO THIS Wednesday, October 2, 13

54. Practical CM exec vs primitives ALWAYS DO THIS package 'apache'

    do action :install end Wednesday, October 2, 13

55. bash "install_tomcat6" do tomcat_version_name = "apache-tomcat-#{node.tomcat.version}" tomcat_version_name_tgz = "#{tomcat_version_name}.tar.gz" user

    "root" code <<-EOH curl --proxy https://aproxy.com:8080/ --user user:pass https://myartifactoryurl.com/artifactory/ext-release-local/ apache-tomcat/apache-tomcat/#{node.tomcat.version}/ #{tomcat_version_name_tgz} -o /tmp/#{tomcat_version_name_tgz} tar -zxf /tmp/#{tomcat_version_name_tgz} -C /tmp rm /tmp/#{tomcat_version_name_tgz} mv /tmp/#{tomcat_version_name} #{node.tomcat.install_path} chown -R #{node.tomcat.run_user}:#{node.tomcat.run_group} #{node.tomcat.install_path} chmod -R 755 #{node.tomcat.install_path} rm -rf #{node.tomcat.install_path}/webapps/ROOT EOH end Wednesday, October 2, 13

56. wtf was that?! Wednesday, October 2, 13

57. package 'tomcat7' do action :install end Wednesday, October 2, 13

58. Practical CM template primitive templates allow you to write flat

    files with varied configs across different environments Wednesday, October 2, 13

59. <% @sudoers_users.each do |user| -%> <%= user %> ALL=(ALL) <%=

    "NOPASSWD:" if @passwordless %>ALL <% end -%> # Members of the sysadmin group may gain root privileges %sysadmin ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL Wednesday, October 2, 13

60. bash "update_ssh" do code <<-EOH sed -i -e 's/ AuthorizedKeysFile.*authorized_keys/

    AuthorizedKeysFile \\/\\.keys\\/%u\\/ authorized_keys/g' /etc/ssh/sshd_config EOH end bash “ssh_dns” do code <<-EOH sed -i -e 's/#UseDNS.yes/UseDNS no/g' /etc/ssh/sshd_config EOH end Wednesday, October 2, 13

61. primitives trump execs package "ssh" do action :install end service

    "sshd" do action [:enable, :start] end template "/etc/ssh/sshd_config" do action :create mode 0644 notifies :restart,"service[sshd]" end Wednesday, October 2, 13

62. Practical CM extending and abstracting CM tools are easy to

    extend understand repeatable patterns abstract them into libraries, resources, custom types keep front line code readable Wednesday, October 2, 13

63. # Cookbook Name:: keys # Recipe:: common # Author:: Sascha

    Bates keys = [] search('public_keys',"tags:common").each { |k| keys << k } search('public_keys',"tags:chef AND tags:#{node.env}").each { | k| keys << k } keys.each do |k| key_type, key_part, key_comment = k['pub_key'].split(' ') ruby_block "root_keys_#{k['id']}" do Chef::Log.debug("test condition: grep #{key_part} #{keyfile}") not_if "grep #{key_part} #{keyfile}" block do File::open(keyfile, 'a') do |f| Chef::Log.debug("Adding #{key_comment} to #{f.path}") f << k["pub_key"] << "\n" end end Wednesday, October 2, 13

64. dsl trumps code # Cookbook Name:: keys # Recipe:: common

    # Author:: Sascha Bates authkey “common_key” do action :add user “root” end Wednesday, October 2, 13

65. If you don’t remember anything else start small, stay visible,

    communicate craft a holistic ecosystem use the tool wisely and well Wednesday, October 2, 13

66. bonus slide # -*- mode: ruby -*- # vi: set

    ft=ruby Vagrant.configure("2") do |config| config.vm.hostname = "goto-example" config.vm.box = "opscode_centos-6.4_provisionerless" config.vm.network :private_network, ip: "33.33.33.10" config.vm.network "forwarded_port", guest: 8080, host: 8080, auto_correct: true config.omnibus.chef_version = :latest config.ssh.max_tries = 40 config.ssh.timeout = 120 config.berkshelf.enabled = true config.vm.provision :chef_solo do |chef| chef.log_level = :debug chef.run_list = [ "recipe[goto::default]" ] end end Wednesday, October 2, 13