exiting vacuum - goto conferencegotocon.com/dl/goto-aar-2013/slides/saschabates_exitingvacuum... ·...
TRANSCRIPT
EXITING VACUUMINTEGRATING CONFIGURATION MANAGEMENT
Sascha BatesOpscode
Wednesday, October 2, 13
blog.brattyredhead.com Twin Cities Infracoders Meetup
@sascha_dThe Ship Show Podcast
sascha bates
Wednesday, October 2, 13
credentials?In love with CM since 2010
Curating developer happiness even longer
Wednesday, October 2, 13
Wednesday, October 2, 13
A tool is just a tool
Wednesday, October 2, 13
it’s what you do
with it that matters
Wednesday, October 2, 13
WHY AM I HERE?
Wednesday, October 2, 13
I mess things upso you don’t have to
Wednesday, October 2, 13
Wasn’t it awesome when it took 3-6 weeks to get a dev server and you got to share it with 60 other
people?- nobody ever
Wednesday, October 2, 13
This Never Happens
wrong database connection string deployed to prod
smtp server fixed by hand and forgotten
test apache server with special configs
ssh keys pushed by handWednesday, October 2, 13
configuration management
defines and idempotently enforces system state across infrastructure
components
Wednesday, October 2, 13
freedom
not bondageWednesday, October 2, 13
confidence
Wednesday, October 2, 13
Configuration Management is NOT
a magic rainbow pixie dusted unicorncoming to save you
Wednesday, October 2, 13
Wednesday, October 2, 13
where do you stand?
Wednesday, October 2, 13
Wednesday, October 2, 13
if I’m really quiet
Wednesday, October 2, 13
Wednesday, October 2, 13
you find yourself...in a maze of twisty little passages all alike
Wednesday, October 2, 13
Map the Journey
InfrastructureGreenfielding and Brownfielding
A Balanced EcosystemPractical CM
Wednesday, October 2, 13
Infrastructurewho cares?
Wednesday, October 2, 13
In a perfect universeProvision Identically
the brains behind your servers
Wednesday, October 2, 13
In a perfect universeOne deployment process to rule them all
because deployments are complicated enough
Wednesday, October 2, 13
In a perfect universeRepositories for all OS packages
yum install tomcat
trumpscurl -o http://some-tomcat-urltar -xvf tomcat.gz
Wednesday, October 2, 13
In a perfect universeHands-off the servers!
this guy againWednesday, October 2, 13
Getting Startedmaking mud pies
Wednesday, October 2, 13
Infrastructure CraftingServer Provisioning
Wednesday, October 2, 13
Infrastructure CraftingApp Layer Configuration
keep configuration data separate from code
different configs in different environments
deployments controlled by different teams
Wednesday, October 2, 13
Infrastructure CraftingDynamic Discovery Across Tiers
application instances noticed by
web instancesnoticed by
load balancer configs
Wednesday, October 2, 13
Infrastructure CraftingWorkstation Automation
make onboarding a fast happy process
eliminate stale epic-length wiki pages
Wednesday, October 2, 13
Infrastructure CraftingSuperior Local Testing
vagrant
virtualbox/ec2/vmware
chef/puppet/ansible
Wednesday, October 2, 13
Infrastructure CraftingBeef Up Your Pipeline
Jenkins + Configuration Management = powa
bootstrap/deploy
automated integration/functional testing ftw
Wednesday, October 2, 13
Getting Starteddon’t do this
Wednesday, October 2, 13
Pick a Sane Use Casedon’t try to automate the world
smallachievablemeasurableimpactful
Wednesday, October 2, 13
Pick a Sane Use Casestay agile and visible
demo your impactful automationshow time/frustration saved
Wednesday, October 2, 13
Keep an Open Mind
“because we’ve always done it that way” is no longer acceptableWednesday, October 2, 13
Refactoring Happens
Wednesday, October 2, 13
Brownfielding
your biggest challenge is peopleWednesday, October 2, 13
Brownfieldingcoloring inside the lines
Wednesday, October 2, 13
Brownfieldingcollaborating
legacy apps have possessive ownersbe inclusive, ask questions
listen when they tell you what will workmute criticism
Wednesday, October 2, 13
A Balanced Ecosystemautomation can’t live in a vacuum
Wednesday, October 2, 13
a package managera package repository
a substitute for version control
Configuration Managementis not
Wednesday, October 2, 13
package repos
configuration
management
A Balanced EcosystemPackage Repos
insert package
repository rant here
Wednesday, October 2, 13
configuration management code is
CODEput it where it belongs
A Balanced EcosystemVersion Control
Wednesday, October 2, 13
A Balanced EcosystemBuild Tools
Wednesday, October 2, 13
A Balanced EcosystemVirtualization
Wednesday, October 2, 13
Practical CMtesting
you can write tests for CM
unit testing w/rspec
functional/integration testing with minitest/bats
Wednesday, October 2, 13
Practical CMdependency resolution
Librarian for both Puppet and Chef
Berkshelf for Chef
There could be others
Wednesday, October 2, 13
Practical CMprimitives
Wednesday, October 2, 13
Practical CMprimitives
file, user, package, template, directory
built-in idempotence
readability
operating system cross-functionality
Wednesday, October 2, 13
Practical CMexec blocks
Wednesday, October 2, 13
Practical CMexec vs primitives
bash ‘install_my_package’ do command “yum -y install my_package” end
NEVER DO THISWednesday, October 2, 13
Practical CMexec vs primitives
ALWAYS DO THIS
package 'apache' do action :install end
Wednesday, October 2, 13
bash "install_tomcat6" do tomcat_version_name = "apache-tomcat-#{node.tomcat.version}" tomcat_version_name_tgz = "#{tomcat_version_name}.tar.gz" user "root" code <<-EOH
curl --proxy https://aproxy.com:8080/ --user user:pass https://myartifactoryurl.com/artifactory/ext-release-local/apache-tomcat/apache-tomcat/#{node.tomcat.version}/#{tomcat_version_name_tgz} -o /tmp/#{tomcat_version_name_tgz}
tar -zxf /tmp/#{tomcat_version_name_tgz} -C /tmp rm /tmp/#{tomcat_version_name_tgz} mv /tmp/#{tomcat_version_name} #{node.tomcat.install_path} chown -R #{node.tomcat.run_user}:#{node.tomcat.run_group} #{node.tomcat.install_path}
chmod -R 755 #{node.tomcat.install_path} rm -rf #{node.tomcat.install_path}/webapps/ROOT EOHend
Wednesday, October 2, 13
wtf was that?!
Wednesday, October 2, 13
package 'tomcat7' do action :installend
Wednesday, October 2, 13
Practical CMtemplate primitive
templates allow you to write flat files with varied configs
across different environments
Wednesday, October 2, 13
<% @sudoers_users.each do |user| -%><%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL<% end -%>
# Members of the sysadmin group may gain root privileges%sysadmin ALL=(ALL) <%= "NOPASSWD:" if @passwordless %>ALL
Wednesday, October 2, 13
bash "update_ssh" do code <<-EOH sed -i -e 's/AuthorizedKeysFile.*authorized_keys/AuthorizedKeysFile \\/\\.keys\\/%u\\/authorized_keys/g' /etc/ssh/sshd_config EOHend
bash “ssh_dns” do code <<-EOH sed -i -e 's/#UseDNS.yes/UseDNS no/g' /etc/ssh/sshd_config EOHend
Wednesday, October 2, 13
primitives trump execs
package "ssh" do action :install end
service "sshd" do action [:enable, :start]end
template "/etc/ssh/sshd_config" do action :create mode 0644 notifies :restart,"service[sshd]"end
Wednesday, October 2, 13
Practical CMextending and abstracting
CM tools are easy to extendunderstand repeatable patterns
abstract them into libraries, resources, custom typeskeep front line code readable
Wednesday, October 2, 13
# Cookbook Name:: keys# Recipe:: common# Author:: Sascha Bateskeys = []search('public_keys',"tags:common").each { |k| keys << k }search('public_keys',"tags:chef AND tags:#{node.env}").each { |k| keys << k }
keys.each do |k| key_type, key_part, key_comment = k['pub_key'].split(' ') ruby_block "root_keys_#{k['id']}" do Chef::Log.debug("test condition: grep #{key_part} #{keyfile}") not_if "grep #{key_part} #{keyfile}" block do File::open(keyfile, 'a') do |f| Chef::Log.debug("Adding #{key_comment} to #{f.path}") f << k["pub_key"] << "\n" end end
Wednesday, October 2, 13
dsl trumps code
# Cookbook Name:: keys# Recipe:: common# Author:: Sascha Bates
authkey “common_key” do action :add user “root”end
Wednesday, October 2, 13
If you don’t remember anything else
start small, stay visible, communicate
craft a holistic ecosystem
use the tool wisely and well
Wednesday, October 2, 13
bonus slide# -*- mode: ruby -*-# vi: set ft=ruby Vagrant.configure("2") do |config| config.vm.hostname = "goto-example" config.vm.box = "opscode_centos-6.4_provisionerless" config.vm.network :private_network, ip: "33.33.33.10" config.vm.network "forwarded_port", guest: 8080, host: 8080, auto_correct: true config.omnibus.chef_version = :latest config.ssh.max_tries = 40 config.ssh.timeout = 120 config.berkshelf.enabled = true
config.vm.provision :chef_solo do |chef| chef.log_level = :debug chef.run_list = [ "recipe[goto::default]" ] endend
Wednesday, October 2, 13