Organizing Puppet nodes with External Node Classifiers and LDAP Anirban Saha PuppetCamp Dusseldorf October, 2014

Objectives : • Organizing data and avoiding clutter • Learn the workflow of External Node Classifiers (ENCs) • How to write ENCs and demonstration • Learn the workflow of organizing node data with LDAP backend • How to configure LDAP for puppet nodes

Why bother to organize data ?

because without it ….

• Prepare to scale for now and for the future • Adopt standardized naming conventions to be used in

configuring ENCs and maintaining inventory • Practice the art of better module writing • Avoid unnecessary troubleshooting of nodes.pp • Educate teams to practice ENCs (and avoid malpractice such as

defining resources in nodes.pp…believe me, they do this)

ENC Workflow • Basically a script in any language (Ruby, Python, Perl, etc) • Takes the hostname (FQDN) or certname as the sole argument • Manipulates the argument and collects the data as written in the script • Produces the output in YAML format • Output has three main keys – classes, parameters and environment • A basic example of the output : environment: production classes: - sudo - ssh - ntp parameters: location: datacenter3

ENC output explained Environment : The environment of the node (e.g. production, staging, development, etc.) being sync’d as configured in puppet Classes : List of modules configured in puppet and supposed to be sync’d with the node, e.g. classes: - groups - users - ntp Parameters : A list of top scope variables which can be used in any of the modules listed in the ‘classes ‘ section. The value of the ‘parameters’ key is a hash of variable names and their values, can be used in the modules and templates, e.g. parameters: puppetserver: puppet-dusseldorf adminserver: admin-dusseldorf location: dusseldorf

Puppet Configuration changes for ENC

Following changes need to be made : In puppet configuration file of puppet master (lets say /opt/puppet/puppet.conf, if puppet conf directory is /opt/puppet) : [master] node_terminus = exec external_nodes = /opt/puppet/enc/node_classifier.rb All node classifier scripts need to be placed in the same directory (here /opt/puppet/enc)

ENC Demonstration

ENC scripts present in this repository : https://github.com/rosesnthornz/puppetcamp-dusseldorf-2014.git Path to scripts : puppetcamp-dusseldorf-2014/enc_scripts/

Organizing Puppet Data with LDAP Prerequisites : • Active LDAP server or a new LDAP implementation • ruby-ldap package needs to be present on the Puppet worker node WorkFlow : • A new LDAP ‘objectclass’ called ‘puppetClient’ is added by extending the LDAP schema using the

node terminus shipped with Puppet (/usr/share/puppet/ext/ldap/puppet.schema) • This schema adds some new attributes for the puppetClient objectclass as follows :

• environment – equivalent to the ‘environment’ hash key in ENC scripts • puppetClass – equivalent to the ‘classes’ hash key in ENC scripts • puppetvar – equivalent to the ‘parameters’ hash key in ENC scripts

• Each new node to be added to the Puppet database need to be added with the above attributes and objectclass in the LDAP directory

Puppet LDAP configuration steps Containers need to be added under the top-level organizations in LDAP as follows : dn: ou=hosts,dc=puppetcamp,dc=com objectclass: organizationalUnit ou: hosts dn: ou=production,ou=hosts,dc=puppetcamp,dc=com objectclass: organizationalUnit ou: production dn: ou=staging,ou=hosts,dc=puppetcamp,dc=com objectclass: organizationalUnit ou: staging The containers above represent each of the environments configured in the Puppet infrastructure

Puppet LDAP configuration steps

The nodes need to be configured and added to LDAP as follows : dn: cn=pcdppms01.puppetcamp.com,ou=production,ou=hosts,dc=puppetcamp,dc=com objectclass: puppetClient objectclass: device environment: production puppetClass: groups puppetClass: sudo puppetClass: users::ops puppetClass: users::keys puppetvar: location='puppetcamp_dusseldorf' puppetvar: puppetserver='172.31.84.91' puppetvar: adminserver='172.31.0.2‘ The above configuration needs to be populated in ldif files and added to the LDAP directory

Puppet configuration changes for LDAP

The following changes need to be done in puppet.conf on the puppet master node to use LDAP as the node backend: node_terminus = ldap ldapserver = ldap.puppetcamp.com ldapbase = ou=hosts,dc=puppetcamp,dc=com The puppet master then needs to be restarted for the changes to take effect

LDAP Demonstration

LDAP files present in this repository : https://github.com/rosesnthornz/puppetcamp-dusseldorf-2014.git Path to files : puppetcamp-dusseldorf-2014/ldap/

Contact: Anirban Saha Email : sahaanirban1988@gmail.com Twitter : @rosesnthornz Skype : anirban.saha.88