Puppet: What _not_ to do
•
4 j'aime•6,627 vues
Walter Heck's presentation on "Puppet: what _not_ to do: An interactive journey through the ugly side of Puppet" at Puppet Camp Ghent 2013.
Recommandé
Contenu connexe
Tendances
Tendances (19)
En vedette
En vedette (10)
Similaire à Puppet: What _not_ to do
Similaire à Puppet: What _not_ to do (20)
Plus de Puppet
Plus de Puppet (20)
Dernier
Dernier (20)
Puppet: What _not_ to do
- 1. Puppet: What _not_ to do? An interactive journey through the ugly side of Puppet
- 2. •Walter Heck, Founder of OlinData •2,5 years experience with Puppet in 5+ different environments •Experienced Puppet Fundamentals trainer •Had my eyes bleed many times with ugly Puppet code
- 3. • Design mistakes might not be glaringly obvious or even wrong at first, but will cause trouble later • Language mistakes Puppet provides functionality that shouldn't be used, but is there for edge- cases or historical purposes
- 4. Quiz time! Wake up...
- 5. == File: modules/ssh/manifests/ssh.pp class ssh_install { package { 'ssh': ensure => present } } class ssh_configure { file { '/etc/ssh/sshd_config': ensure => present } }
- 6. == File: modules/ssh/manifests/ssh.pp class ssh($state = ‘present’ { package { 'ssh': ensure => $state } file { '/etc/ssh/sshd_config': ensure => $state } } # problem: classnames won't be autoloaded, classnames shouldn't have verbs in them, classes should be combined, don't put multiple classes in a file
- 7. == schedule { 'maint': range => '2 - 4', period => daily, repeat => 1, } exec { '/usr/bin/apt-get update': schedule => 'maint', }
- 8. == schedule { 'maint': range => '2 - 4', period => daily, repeat => 1, } exec { '/usr/bin/apt-get update': schedule => 'maint', } # problem: schedule doesn't mean something will execute, a common pitfall. If there is no puppet run between these hours, the apt-get exec will not be run
- 9. == $myvar = ‘false’ if ($myvar) { notice(‘this is true’) } else { notice(‘This is false’) }
- 10. == $myvar = ‘false’ if ($myvar) { notice(‘this is true’) } else { notice(‘This is false’) } #problem: 'false' evaluates to true
- 11. == exec { '/etc/init.d/apache start': onlyif => ‘ps aux | grep apache | grep -v grep | wc -l’ }
- 12. == exec { '/etc/init.d/apache start': onlyif => ‘ps aux | grep apache | grep -v grep | wc -l’ } # problem: this shouldn't be an exec, but a service
- 13. == package { 'ssh': ensure => present, name => $::operatingsystem ? { 'Ubuntu' => 'openssh-server', default => 'ssh', }, }
- 14. == $sshpkgname = $::operatingsystem ? { 'Ubuntu' => 'openssh-server', default => undef, } if ($sshpkgname == undef) { fail(‘unsupported OS’) } else { package { 'ssh': ensure => present, name => $sshpkgname, } } #problem: they encourage behaviour that is not scalable, using default options to assume things, etc.
- 15. == case $::operatingsystem { 'RedHat', 'CentOS': { file { ‘/etc/httpd/http.conf’: ensure => ‘present’, } } default: { file { ‘/etc/apache2/apache2.conf’: ensure => ‘present’, } } }
- 16. == case $::operatingsystem { 'RedHat', 'CentOS': { file { ‘/etc/httpd/http.conf’: ensure => ‘present’, } } default: { file { ‘/etc/apache2/apache2.conf’: ensure => ‘present’, } } } #problem: case without default that fails, instead it assumes
- 17. == class wordpress { $wordpress_archive = 'wordpress-3.4.1.zip' $apache = $::operatingsystem ? { Ubuntu => apache2, CentOS => httpd, Debian => apache2, default => httpd } $phpmysql = $::operatingsystem ? { Ubuntu => php5-mysql, CentOS => php-mysql, Debian => php5-mysql, default => php-mysql } $php = $::operatingsystem ? { Ubuntu => libapache2-mod-php5, CentOS => php, Debian => libapache2-mod-php5, default => php } package { ['unzip',$apache,$php,$phpmysql]: ensure => latest } }
- 18. == class wordpress { $wordpress_archive = 'wordpress-3.4.1.zip' $apache = $::operatingsystem ? { Ubuntu => apache2, CentOS => httpd, Debian => apache2, default => httpd } $phpmysql = $::operatingsystem ? { Ubuntu => php5-mysql, CentOS => php-mysql, Debian => php5-mysql, default => php-mysql } $php = $::operatingsystem ? { Ubuntu => libapache2-mod-php5, CentOS => php, Debian => libapache2-mod-php5, default => php } package { ['unzip',$apache,$php,$phpmysql]: ensure => latest } } #wordpress class shouldn't touch apache, should be a different module
- 19. == $files = [ '/etc/mysql', '/var/log/mysql', '/var/run/mysql' ] file { $files: ensure => present, user => mysql, group => mysql, mode => 0755, }
- 20. == #arrays of resources are not wrong, but dangerous. file { '/etc/mysql': ensure => present, user => mysql, group => mysql, mode => 0700, <=== careful with this! } file { '/var/log/mysql': ensure => present, user => mysql, group => mysql, mode => 0755, } file { '/var/run/mysql': ensure => present, user => mysql, group => mysql, mode => 0755, }
- 21. == if defined(File['/tmp/foo']) { notify('This configuration includes the /tmp/foo file.') } else { file {'/tmp/foo': ensure => present, } }
- 22. == class test { if defined(File['/tmp/foo']) { notice('This configuration includes the /tmp/foo file.') } else { file {'/tmp/foo': ensure => present, group => root } } if defined(File['/tmp/foo']) { notice('This configuration includes the /tmp/foo file.') } else { file {'/tmp/foo': ensure => present, group => puppet } } } include test defined() is (usually) the wrong solution to a resource defined in two locations. It is dangerous, because it only checks if the resource has been defined elsewhere, not with what attributes.
- 23. == class apache2 { file { '/etc/apache2': ensure => directory, require => Service['apache2'] } file { '/etc/apache2/apache2.conf': ensure => present, require => File['/etc/apache2'], notify => Service['apache2'], } package { 'apache2': ensure => present, allowcdrom => true, before => File['/etc/apache2/apache2.conf'] } service { 'apache2': ensure => running, subscribe => File['/etc/apache2/apache2.conf'] } } include apache2
- 24. == # dependency loop class apache2 { file { '/etc/apache2': ensure => directory, require => Service['apache2'] } file { '/etc/apache2/apache2.conf': ensure => present, require => File['/etc/apache2'], notify => Service['apache2'], # <=== The notify metaparameter implies before. } package { 'apache2': ensure => present, allowcdrom => true, before => File['/etc/apache2/apache2.conf'] } service { 'apache2': ensure => running, subscribe => File['/etc/apache2/apache2.conf'] # <=== The subscribe metaparameter implies require.
- 25. class test { file { '/tmp/somefile.txt': ensure => 'file', mode => 0600, owner => 'root', group => 'root', source => '/etc/puppet/modules/test/somefile.txt' } } include test
- 26. == # use puppet:///modules/ instead of the full path on the puppet master class test { file { '/tmp/somefile.txt': ensure => 'file', mode => 0600, owner => 'root', group => 'root', source => 'puppet:///modules/test/somefile.txt' } } include test
- 27. == class test { file {‘/tmp/large/dir/with/many/subdirs/and/many/files’: ensure => present, owner => root, group => root, recurse => true } } include test
- 28. == # do not use recurse => true on a dir with over 100+ files class test { file {‘/tmp/large/dir/with/many/files’: ensure => present, owner => root, group => root, recurse => true } } include test # alternative :’( class test { exec {'/bin/chown -R root:root /tmp/large/dir/with/many/files': } }
- 29. Walter Heck - OlinData Email: walterheck@olindata.com Twitter: @walterheck / @olindata Web: http://olindata.com Questions? Feel free to get in touch!