Unless you are having issues with certificate signing consuming too many resources, it's simpler to keep the signing machine as a single instance, possibly with a hot spare. Having multiple certificate signing machines means that you have to keep certificate revocation lists synchronized.

Reporting should be done on a single instance if possible. Reporting options will be covered in Chapter 7, Reporting and Orchestration.

Storeconfigs should be run on a single server; storeconfigs allows for exported resources and is optional. The recommended configuration for storeconfigs is PuppetDB, which can handle several thousand nodes in a single installation.

Catalog compilation is one task that can really bog down your Puppet installation. Splitting compilation among a pool of workers is the biggest win to scale your deployment. The idea here is to have a primary point of contact for all your nodes—the load balancer. Then, using proxying techniques, the load balancer will direct requests to specific worker machines within your Puppet infrastructure. From the perspective of the nodes checking into Puppet master, all the interaction appears to come from the main load balancing machine.

When nodes contact the Puppet master, they do so using an HTTP REST API, which is TLS encrypted. The resource being requested by a node may be any of the accepted REST API calls, such as catalog, certificate, resource, report, file_metadata, or file_content. A complete list of the HTTP APIs is available at http://docs.puppetlabs.com/guides/rest_api.html.

When nodes connect to the Puppet master, they connect to the master service. In prior versions of Puppet (versions 3.6 and older), the accepted method to run the Puppet master service was through the Passenger framework. In Puppet 3.7 and above, this was replaced with a new server, puppetserver. Puppet version 4 and above have deprecated Passenger; support for Passenger may be completely removed in a future release. puppetserver runs Puppet as a JRuby process within a JVM that is wrapped by a Jetty web server. There are many moving parts in the new puppetserver service, but the important thing is that Puppet Labs built this service to achieve better performance than the older Passenger implementation. A Puppet master running the puppetserver service can typically handle around 5,000 individual nodes; this is a vast improvement.

The puppetserver uses the same design principles as PuppetDB. PuppetDB uses a new framework named Trapperkeeper. Trapperkeeper is written in Clojure and is responsible for managing the HTTP/TLS endpoints that are required to serve as a Puppet master server. More information about Trapperkeeper is available at the project website at https://github.com/puppetlabs/trapperkeeper.

To build a split Puppet master configuration, we will first start with an empty machine running an enterprise Linux distribution, such as CentOS, RedHat Enterprise Linux, or Springdale Linux. I will be using Springdale Linux 7 for my example machines. More information on Springdale is available at https://springdale.math.ias.edu/. I will start by building a machine named lb (load balancer), as my first Puppet master. The puppetserver process uses a lot of memory; the lb machine needs to have at least 2.5GB of memory to allow the puppetserver process to run.

To enable the puppetserver service on a node, install the Puppet Labs yum repository rpm onto the machine. At the time of writing, the latest release rpm is puppetlabs-release-pc1-0.9.2-1.el7.noarch.rpm, which is available from Puppet Labs at http://yum.puppetlabs.com/el/7/PC1/x86_64/puppetlabs-release-pc1-0.9.2-1.el7.noarch.rpm.

This is to be installed using the following yum command:

[thomas@lb ~]$ sudo yum install http://yum.puppetlabs.com/el/7/PC1/x86_64/puppetlabs-release-pc1-0.9.2-1.el7.noarch.rpm
puppetlabs-release-pc1-0.9.2-1.el7.noarch.rpm               | 4.1 kB  00:00:00     
...

Installed:
puppetlabs-release-pc1.noarch 0:0.9.2-1.el7                             

Complete!

After installing the puppetlabs-release-pc1 rpm, install the puppetserver rpm. This can be done with the following command:

[thomas@lb ~]$ sudo yum install puppetserver

Installing puppetserver will automatically install a few Java dependencies. Installing puppetserver will also install the puppet-agent rpm onto your system. This places the Puppet and Facter applications into /opt/puppetlabs/bin. This path may not be in your PATH environment variable, so you need to add this to your PATH variable either by adding a script to the /etc/profile.d directory or appending the path to your shell initialization files.

Now that the server is installed, we'll need to generate new X.509 certificates for our Puppet infrastructure.

[thomas@lb ~]$ sudo /opt/puppetlabs/bin/puppet cert list -a
Notice: Signed certificate request for ca

certname = puppet.example.com

[thomas@lb ~]$ sudo /opt/puppetlabs/bin/puppet certificate generate --dns-alt-names puppet,puppet.example.com,puppet.dev.example.com puppet.example.com --ca-location local
Notice: puppet.example.com has a waiting certificate request
true

[thomas@lb ~]$ sudo /opt/puppetlabs/bin/puppet cert sign puppet.example.com --allow-dns-alt-names
Notice: Signed certificate request for puppet.example.com
Notice: Removing file Puppet::SSL::CertificateRequestpuppet.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet.example.com.pem'

[thomas@lb ~]$ sudo puppet certificate find puppet.example.com --ca-location local
-----BEGIN CERTIFICATE-----
MIIFvDCCA6SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw
...
9ZLNFwdQ4iMxenffcEQErMfkT6fjcvdSIjShoIe3Myk=
-----END CERTIFICATE-----

[thomas@lb ~]$ sudo systemctl start puppetserver

[thomas@lb ~]$ sudo lsof -i :8140
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    4299 puppet   28u  IPv6  37899      0t0  TCP *:8140 (LISTEN)

[root@puppet ~]# sudo systemctl enable puppetserver.service
ln -s '/usr/lib/systemd/system/puppetserver.service' '/etc/systemd/system/multi-user.target.wants/puppetserver.service'

[thomas@client ~]$ sudosystemctl disable firewalld.service
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
[thomas@client ~]$ sudosystemctl stop firewalld.service

[thomas@lb ~]$ sudo firewall-cmd --add-port=8140/tcp
success
[thomas@lb ~]$ sudo firewall-cmd --add-port=8140/tcp --permanent
success

webserver: {
  access-log-config = /etc/puppetlabs/puppetserver/request-logging.xml
  client-auth = want
  ssl-host = 0.0.0.0
  ssl-port = 8141
  host = 0.0.0.0
  port = 18140
}

[thomas@lb ~]$ sudo systemctl restart puppetserver.service

[thomas@lb~]$ sudo yum install httpd mod_ssl

Listen 8140
<VirtualHost *:8140>
  ServerNamepuppet.example.com
  SSLEngine on
  SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  SSLCertificateFile /etc/puppetlabs/puppet/ssl/certs/puppet.example.com.pem
  SSLCertificateKeyFile /etc/puppetlabs/puppet/ssl/private_keys/puppet.example.com.pem
  SSLCertificateChainFile /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
  SSLCACertificateFile    /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
  # If Apache complains about invalid signatures on the CRL, you can try disabling
  # CRL checking by commenting the next line, but this is not recommended.
  SSLCARevocationFile     /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
  SSLVerifyClient optional
  SSLVerifyDepth  1
  # The `ExportCertData` option is needed for agent certificate expiration warnings
  SSLOptions +StdEnvVars +ExportCertData
  # This header needs to be set if using a loadbalancer or proxy
  RequestHeader unset X-Forwarded-For
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

  ProxyPassMatch ^/(puppet-ca/v[123]/.*)$ balancer://puppetca/$1
  ProxyPass / balancer://puppetworker/
  ProxyPassReverse / balancer://puppetworker

  <Proxy balancer://puppetca>
    BalancerMember http://127.0.0.1:18140
  </Proxy>
  <Proxy balancer://puppetworker>
    BalancerMember http://192.168.0.100:18140
    BalancerMember http://192.168.0.101:18140
  </Proxy>

</VirtualHost>

<Proxy balancer://puppetca>
  BalancerMember http://127.0.0.1:18140
</Proxy>
<Proxy balancer://puppetworker>
  BalancerMember http://192.168.0.100:18140
  BalancerMember http://192.168.0.101:18140
</Proxy>

ProxyPassMatch ^/(puppet-ca/v[123]/.*)$ balancer://puppetca/$1
ProxyPass / balancer://puppetworker/
ProxyPassReverse / balancer://puppetworker

environment/endpoint/value

ProxyPassMatch ^/([^/]+/certificate.*)$ balancer://puppetca/$1

/puppet-ca/version/endpoint/value?environment=environment

puppet/version/endpoint/value?environment=environment

ProxyPassMatch ^/(puppet-ca/v[123]/.*)$ balancer://puppetca/$1

# This header needs to be set if using a loadbalancer or proxy
RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

[thomas@lb ~]$ sudo setsebool -P httpd_can_network_connect=1

[thomas@lb ~]$ sudo setenforce 0

master: {
  allow-header-cert-info: true
}

[root@lb puppet]# cd /etc/puppetlabs/puppet
[root@lb puppet]# tar cf ssl.tar ssl

node default {
  notify { "compiled on puppetmaster1": }
}

node default {
  notify { "compiled on puppetmaster2": }
}

192.168.0.110 puppet.example.com puppet

[thomas@client ~]$ sudo puppet agent -t
Info: Creating a new SSL key for client
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client
Info: Certificate Request fingerprint (SHA256): FE:D1:6D:70:90:10:9E:C9:0E:D7:3B:BA:3D:2C:71:93:59:40:02:64:0C:FC:D4:DD:8E:92:EF:02:7F:EE:28:52
Exiting; no certificate found and waitforcert is disabled

[thomas@lb ~]$ sudo puppet cert list
  "client" (SHA256) FE:D1:6D:70:90:10:9E:C9:0E:D7:3B:BA:3D:2C:71:93:59:40:02:64:0C:FC:D4:DD:8E:92:EF:02:7F:EE:28:52

[thomas@lb ~]$ sudo puppet cert sign client
Notice: Signed certificate request for client
Notice: Removing file Puppet::SSL::CertificateRequest client at '/etc/puppetlabs/puppet/ssl/ca/requests/client.pem'

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client
Info: Applying configuration version '1441254717'
Notice: compiled on puppetserver1
Notice: /Stage[main]/Main/Node[default]/Notify[compiled on puppetmaster1]/message: defined 'message' as 'compiled on puppetmaster1'
Notice: Applied catalog in 0.04 seconds

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client
Info: Applying configuration version '1441256532'
Notice: compiled on puppetmaster2
Notice: /Stage[main]/Main/Node[default]/Notify[compiled on puppetmaster2]/message: defined 'message' as 'compiled on puppetmaster2'
Notice: Applied catalog in 0.02 seconds

[thomas@puppet ~]$ sudo puppet cert list -a
+ "puppet.example.com" (SHA256) 9B:C8:43:46:71:1E:0A:E0:63:E8:A7:B5:C2:BF:4D:6E:68:4C:67:57:87:4C:7A:77:08:FC:5A:A6:62:E9:13:2E (alt names: "DNS:puppet", "DNS:puppet.dev.example.com", "DNS:puppet.example.com")

[thomas@lb ~]$ sudo puppet cert list -a
+ "client"             (SHA256) E6:38:60:C9:78:F8:B1:88:EF:3C:58:17:88:81:72:86:1B:05:C4:00:B2:A2:99:CD:E1:FE:37:F2:36:6E:8E:8B
+ "puppet.example.com" (SHA256) 9B:C8:43:46:71:1E:0A:E0:63:E8:A7:B5:C2:BF:4D:6E:68:4C:67:57:87:4C:7A:77:08:FC:5A:A6:62:E9:13:2E (alt names: "DNS:puppet", "DNS:puppet.dev.example.com", "DNS:puppet.example.com")

lb# ssh-keygen -f puppet_rsync
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in puppet_rsync.
Your public key has been saved in puppet_rsync.pub.

[thomas@puppet ~]$ sudo mkdir ~puppet/.ssh
[thomas@puppet ~]$ sudo cp puppet_rsync.pub ~puppet/.ssh/authorized_keys
[thomas@puppet ~]$ sudo chown -R puppet:puppet ~puppet/.ssh
[thomas@puppet ~]$ sudo chmod 750 ~puppet
[thomas@puppet ~]$ sudo chmod 700 ~puppet/.ssh
[thomas@puppet ~]$ sudo chmod 600 ~puppet/.ssh/authorized_keys
[thomas@puppet ~]$ sudo chsh -s /bin/bash puppet
Changing shell for puppet.
Shell changed.
[thomas@puppet ~]$ sudo chown -R puppet:puppet /etc/puppetlabs/code

[thomas@lb ~]$ rsync -e 'ssh -i puppet_rsync' -az /etc/puppetlabs/code/ puppet@puppetmaster1:/etc/puppetlabs/code

Now that we have our Puppet infrastructure running on two Puppet masters and the load balancer, you might notice that the load balancer and the certificate signing machine need not be the same machine.

To split off the Puppet certificate authority (puppetca) from the load balancing machine, make another Puppet master machine, similar to the previous Puppet master machines (complete with the master.conf configuration file in the /etc/puppetlabs/puppetserver/conf.d directory). Give this new machine the following IP address 192.168.0.111.

Now, modify the puppet_lb.conf file in the /etc/httpd/conf.d directory such that the proxy balancer for puppetca points to this new machine, as shown here:

<Proxy balancer://puppetca>
  BalancerMember http://192.168.0.111:18140
</Proxy>

Now restart Apache on the load balancer and verify that the certificate signing is now taking place on the new puppetca machine. This can be done by running Puppet on our client machine with the --certname option to specify an alternate name for our node, as shown here:

[thomas@client ~]$ puppet agent -t --certname split
Info: Creating a new SSL key for split
Info: csr_attributes file loading from /home/thomas/.puppetlabs/etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for split
Info: Certificate Request fingerprint (SHA256): 98:41:F6:7C:44:FE:35:E5:B9:B5:86:87:A1:BE:3A:FD:4A:D4:50:B8:3A:3A:69:00:87:12:0D:9A:2B:B0:94:CF
Exiting; no certificate found and waitforcert is disabled

Now on the puppetca machine, run the puppet cert list command to see the certificate waiting to be signed:

[thomas@puppet ~]$ sudo puppet cert list
  "split" (SHA256) 98:41:F6:7C:44:FE:35:E5:B9:B5:86:87:A1:BE:3A:FD:4A:D4:50:B8:3A:3A:69:00:87:12:0D:9A:2B:B0:94:CF

When we run the puppet cert list command on the load balancer, we see that the split certificate is not shown:

thomas@lb ~]$sudo puppet cert list -a
+ "client"             (SHA256) E6:38:60:C9:78:F8:B1:88:EF:3C:58:17:88:81:72:86:1B:05:C4:00:B2:A2:99:CD:E1:FE:37:F2:36:6E:8E:8B
+ "puppet.example.com" (SHA256) 9B:C8:43:46:71:1E:0A:E0:63:E8:A7:B5:C2:BF:4D:6E:68:4C:67:57:87:4C:7A:77:08:FC:5A:A6:62:E9:13:2E (alt names: "DNS:puppet", "DNS:puppet.dev.example.com", "DNS:puppet.example.com")

With this split we have streamlined the load balancer to the point where it is only running Apache. In the next section, we'll look at how else we can split up our workload.

We have already split our workload into a certificate-signing machine (puppetca) and a pool of catalog compiling machines (Puppet masters). We can also create a report processing machine and split-off report processing to that machine with the report_server setting. What is interesting as an exercise at this point is that we can also serve up files using our load balancing machine.

Based on what we know about the Puppet HTTP API, we know that requests for file_buckets and files have specific URIs, which we can serve directly from the load balancer without using puppetserver, or Apache or even Puppet. To test the configuration, alter the definition of the default node to include a file, as follows:

node default {
  include file_example
}

Create the file_example module and the following class manifest:

class file_example {
  file {'/tmp/example':
    mode=>'644', 
    owner =>'100',
    group =>'100',
    source => 'puppet:///modules/file_example/example',
  }
}

Create the example file in the files subdirectory of the module. In this file, place the following content:

This file is in the code directory.

Now, we need to edit the Apache configuration on the load balancer to redirect file requests to another VirtualHost on the load balancer. Modify the puppet_lb.conf file so that the rewrite balancer lines are, as follows:

ProxyPassMatch ^/(puppet-ca/v[123]/.*)$ balancer://puppetca/$1
ProxyPassMatch ^/puppet/v[123]/file_content/(.*)$ balancer://puppetfile/$1

ProxyPass / balancer://puppetworker/
ProxyPassReverse / balancer://puppetworker

<Proxy balancer://puppetca>
  BalancerMember http://192.168.0.111:18140
</Proxy>
<Proxy balancer://puppetfile>
  BalancerMember http://127.0.0.1:8080
</Proxy>
<Proxy balancer://puppetworker>
  BalancerMember http://192.168.0.100:18140
  BalancerMember http://192.168.0.101:18140
</Proxy>

This configuration will redirect any requests to /puppet/v3/file_content to port 8080 on the same machine. We now need to configure Apache to listen on port 8080, create the files.conf file in the /etc/httpd/conf.d directory:

Listen 8080
<VirtualHost *:8080>
  DocumentRoot /var/www/html/puppet
  LogLevel debug
  RewriteEngine on
  RewriteCond %{QUERY_STRING}     ^environment=(.*)&.*$    [NC]
  RewriteRule^(.*)$       /%1/$1      [NC,L]
</VirtualHost>

In version 4 of Puppet, the environment is encoded as a parameter to the request URL. The URL requested by the node for the example file is /puppet/v3/file_content/modules/file_example/example?environment=production&. The files.conf configuration's RewriteCond line will capture the environment production into %1. The RewriteRule line will take the requested URL and rewrite it into /production/modules/file_example/example. To ensure that the file is available, create the following directory on the load balancer machine:

/var/www/html/puppet/production/modules/file_example

Create the example file in this directory with the following content:

This came from the load balancer

Now, restart the Apache process on the load balancer. At this point we can run the Puppet agent on the client node to have the /tmp/example file created on the client node, as shown here:

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client
Info: Applying configuration version '1441338020'
Notice: compiled on puppetmaster1 -- does that work?
Notice: /Stage[main]/Main/Node[default]/Notify[compiled on puppetmaster1 -- does that work?]/message: defined 'message' as 'compiled on puppetmaster1 -- does that work?'
Notice: /Stage[main]/File_example/File[/tmp/example]/content: 

Info: Computing checksum on file /tmp/example
Info: /Stage[main]/File_example/File[/tmp/example]: Filebucketed /tmp/example to puppet with sum accaac1654696edf141baeeab9d15198
Notice: /Stage[main]/File_example/File[/tmp/example]/content: content changed '{md5}accaac1654696edf141baeeab9d15198' to '{md5}1a7b177fb5017e17daf9522e741b2f9b'
Notice: Applied catalog in 0.23 seconds
[thomas@client ~]$ cat /tmp/example
This came from the load balancer

The contents of the file have now been placed on the client machine and, as we can see, the contents of the file are coming from the file that is in the subdirectory of /var/www/html.

As we have seen, once the basic proxying is configured, further splitting up of the workload becomes a routine task. We can split the workload to scale to handle as many nodes as we require.

To start our rpm, we will make an rpm spec file. We can make this anywhere since we don't have a master in this example. Start by installing rpm-build, which will allow us to build the rpm.

# yum install rpm-build
Installing
  rpm-build-4.8.0-37.el6.x86_64

Later, it is important to have a user to manage the repository, so create a user called builder at this point. We'll do this on the Puppet master machine we built earlier. Create an rpmbuild directory with the appropriate subdirectories and then create our example code in this location:

# sudo -iu builder
$ mkdir -p rpmbuild/{SPECS,SOURCES}
$ cd SOURCES
$ mkdir -p modules/example/manifests
$ cat <<EOF> modules/example/manifests/init.pp
class example {
  notify {"This is an example.": }
  file {'/tmp/example':
    mode => '0644',
    owner => '0',
    group => '0',
    content => 'This is also an example.'
  }
}
EOF
$ tar cjf example.com-puppet-1.0.tar.bz2 modules

Next, create a spec file for our rpm in rpmbuild/SPECS as shown here:

Name:           example.com-puppet
Version: 1.0
Release: 1%{?dist}
Summary: Puppet Apply for example.com

Group: System/Utilities
License: GNU
Source0: example.com-puppet-%{version}.tar.bz2
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

Requires: puppet
BuildArch: noarch

%description
This package installs example.com's puppet configuration
and applies that configuration on the machine.


%prep

%setup -q -c
%install
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/local/puppet
cp -a . $RPM_BUILD_ROOT/%{_localstatedir}/local/puppet

%clean
rm -rf %{buildroot}

%files
%defattr(-,root,root,-)
%{_localstatedir}/local/puppet

%post
# run puppet apply
/bin/env puppet apply --logdest syslog --modulepath=%{_localstatedir}/local/puppet/modules %{_localstatedir}/local/puppet/manifests/site.pp

%changelog
* Fri Dec 6 2013 Thomas Uphill <thomas@narrabilis.com> - 1.0-1
- initial build

Then use the rpmbuild command to build the rpm based on this spec, as shown here:

$ rpmbuild -baexample.com-puppet.spec
…
Wrote: /home/builder/rpmbuild/SRPMS/example.com-puppet-1.0-1.el6.src.rpm
Wrote: /home/builder/rpmbuild/RPMS/noarch/example.com-puppet-1.0-1.el6.noarch.rpm

Now, deploy a node and copy the rpm onto that node. Verify that the node installs Puppet and then does a Puppet apply run.

# yum install example.com-puppet-1.0-1.el6.noarch.rpm 
Loaded plugins: downloadonly
…
Installed:
example.com-puppet.noarch 0:1.0-1.el6
Dependency Installed:
augeas-libs.x86_64 0:1.0.0-5.el6
...
puppet-3.3.2-1.el6.noarch
…
Complete!

Verify that the file we specified in our package has been created using the following command:

# cat /tmp/example
This is also an example.

Now, if we are going to rely on this system of pushing Puppet to nodes, we have to make sure that we can update the rpm on the clients and we have to ensure that the nodes still run Puppet regularly, so as to avoid configuration drift (the whole point of Puppet).

%post
# install cron job
/bin/env puppet resource cron 'example.com-puppet' command='/bin/env puppet apply --logdest syslog --modulepath=%{_localstatedir}/local/puppet/modules %{_localstatedir}/local/puppet/manifests/site.pp' minute='*/30' ensure='present'

cron { 'example.com-puppet':
  ensure   => 'present',
  command  => '/bin/env puppet apply --logdest syslog --modulepath=/var/local/puppet/modules /var/local/puppet/manifests/site.pp',
  minute   => ['*/30'],
  target   => 'root',
  user     => 'root',
}

package {'example.com-puppet':  ensure => 'latest' }

Creating a yum repository is a very straightforward task. Install the createrepo rpm and then run createrepo on each directory you wish to make into a repository:

# mkdir /var/www/html/puppet
# yum install createrepo
…
Installed:
createrepo.noarch 0:0.9.9-18.el6
# chown builder /var/www/html/puppet
# sudo -iu builder
$ mkdir /var/www/html/puppet/{noarch,SRPMS}
$ cp /home/builder/rpmbuild/RPMS/noarch/example.com-puppet-1.0-1.el6.noarch.rpm /var/www/html/puppet/noarch
$ cp rpmbuild/SRPMS/example.com-puppet-1.0-1.el6.src.rpm /var/www/html/puppet/SRPMS
$ cd /var/www/html/puppet
$ createrepo noarch
$ createrepo SRPMS

Our repository is ready, but we need to export it with the web server to make it available to our nodes. This rpm contains all our Puppet code, so we need to ensure that only the clients we wish get an access to the files. We'll create a simple listener on port 80 for our Puppet repository:

Listen 80
<VirtualHost *:80>
  DocumentRoot /var/www/html/puppet
</VirtualHost>

Now, the nodes need to have the repository defined on them so that they can download the updates when they are made available via the repository. The idea here is that we push the rpm to the nodes and have them install the rpm. Once the rpm is installed, the yum repository pointing to updates is defined and the nodes continue updating themselves:

yumrepo { 'example.com-puppet':
  baseurl  => 'http://puppet.example.com/noarch',
  descr    => 'example.com Puppet Code Repository',
  enabled  => '1',
  gpgcheck => '0',
}

So, to ensure that our nodes operate properly, we have to make sure of the following things:

A default node in our masterless configuration requires that the cron task and the repository be defined. If you wish to segregate your nodes into different production zones (such as development, production, and sandbox), I would use a repository management system, such as Pulp. Pulp allows you to define repositories based on other repositories and keeps all your repositories consistent.

To use an ENC, we need to make one small change in our Puppet master machine. We'll have to add the node_terminus and external_nodes lines to the [master] section of puppet.conf, as shown in the following code (we only need make this change on the master machines, as this is concerned with catalog compilation only):

[master]
    node_terminus = exec
    external_nodes = /usr/local/bin/simple_node_classifier

Our first example, as shown in the following code snippet, will be written in Ruby and live in the file /usr/local/bin/simple_node_classifier, as shown:

#!/bin/env ruby
require 'yaml'

# create an empty hash to contain everything
@enc = Hash.new
@enc["classes"] = Hash.new
@enc["classes"]["base"] = Hash.new
@enc["parameters"] = Hash.new
@enc["environment"] = 'production'
#convert the hash to yaml and print
puts @enc.to_yaml
exit(0)

Make this script executable and test it on the command line, as shown in the following example:

# chmod 755 /usr/local/bin/simple_node_classifier
# /usr/local/bin/simple_node_classifier
--- 
classes: 
  base: {}
environment: production
parameters: {}

Puppet version 4 no longer requires the Ruby system package; Ruby is installed in /opt/puppetlabs/puppet/bin. The preceding script relies on Ruby being found in the current $PATH. If Ruby is not in the current $PATH, either modify your $PATH to include /opt/puppetlabs/puppet/bin or install the Ruby system package.

The previous script returns a properly formatted YAML file.

YAML files start with three dashes (---); they use colons (:) to separate parameters from values and hyphens (-) to separate multiple values (arrays). For more information on YAML, visit http://www.yaml.org/.

If you use a language such as Ruby or Python, you do not need to know the syntax of YAML, as the built-in libraries take care of the formatting for you. The following is the same example in Python. To use the Python example, you will need to install PyYAML, which is the Python YAML interpreter, using the following command:

# yum install PyYAML
Installed:
  PyYAML.x86_64 0:3.10-3.el6

The Python version starts with an empty dictionary. We then use sub-dictionaries to hold the classes, parameters, and environment. We will call our Python example /usr/local/bin/simple_node_classifier_2. The following is our example:

#!/bin/env python
import yaml
import sys
# create an empty hash
enc = {}
enc["classes"] = {}
enc["classes"]["base"] = {}
enc["parameters"] = {}
enc["environment"] = 'production'
# output the ENC as yaml
print "---"
print yaml.dump(enc)
sys.exit(0)

Make /usr/local/bin/simple_node_classifier_2 executable and run it using the following commands:

worker1# chmod 755 /usr/local/bin/simple_node_classifier_2
worker1# /usr/local/bin/simple_node_classifier_2 
---
classes:
  base: {}
environment: production
parameters: {}

The order of the lines following --- may be different on your machine; the order is not specified when Python dumps the hash of values.

The Python script outputs the same YAML, as the Ruby code. We will now define the base class referenced in our ENC script, as follows:

class base {
  file {'/etc/motd':
    mode    => '0644',
    owner   => '0',
    group   => '0',
    content => inline_template("Managed Node: <%= @hostname %>\nManaged by Puppet version <%= @puppetversion %>\n"),
  }
}

Now that our base class is defined, modify the external_nodes setting to point at the Python ENC script. Restart puppetserver to ensure that the change is implemented.

Now, run Puppet on the client node. Notice that the message of the day (/etc/motd) has been updated using an inline template, as shown in the following command-line output:

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client
Info: Applying configuration version '1441950102'
Notice: /Stage[main]/Base/File[/etc/motd]/ensure: defined content as '{md5}df3dfe6fe2367e36f0505b486aa24da5'
Notice: Applied catalog in 0.05 seconds
[thomas@client ~]$ cat /etc/motd
Managed Node: client
Managed by Puppet version 4.2.1

Since the ENC is only given one piece of data, the certname (FQDN), we need to create a naming convention that provides us with enough information to determine the classes that should be applied to the node.

#!/bin/env python
# Python ENC
# receives fqdn as argument

import yaml
import sys
"""output_yaml renders the hash as yaml and exits cleanly"""
def output_yaml(enc):
  # output the ENC as yaml
  print "---"
  print yaml.dump(enc)
  quit()

# create an empty hash
enc = {}
enc["classes"] = {}
enc["classes"]["base"] = {}
enc["parameters"] = {}

try:
  hostname=sys.argv[1]
except:
  # need a hostname
  sys.exit(10)

# split hostname on _
try:
  parts = hostname.split('_')
  role = parts[0]
  location = parts[1]
  os = parts[2][0]
  environment = parts[2][1]
  instance = parts[2][2:]

except:
  # hostname didn't conform to our standard
  # include a class which notifies us of the problem
  enc["classes"]["hostname_problem"] = {'enc_hostname': hostname}
  output_yaml(enc)
  raise SystemExit

# map environment from hostname into environment
environments = {}
environments['p'] = 'production'
environments['n'] = 'nonprod'
environments['d'] = 'devel'
environments['s'] = 'sbx'
try:
  enc["environment"] = environments[environment]
except:
  enc["environment"] = 'undef'

# map role from hostname into role
enc["classes"][role] = {}

# set top scope variables
enc["parameters"]["enc_hostname"] = hostname
enc["parameters"]["role"] = role
enc["parameters"]["location"] = location
enc["parameters"]["os"] = os
enc["parameters"]["instance"] = instance

output_yaml(enc)

class web {
  package {'httpd':
    ensure => 'installed'
  }
  service {'httpd':
    ensure  => true,
    enable  => true,
    require => Package['httpd'],
  }
}

[thomas@web_main_lp01 ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for web_main_lp01.example.com
Info: Applying configuration version '1441951808'
Notice: /Stage[main]/Web/Package[httpd]/ensure: created
Notice: /Stage[main]/Web/Service[httpd]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Web/Service[httpd]: Unscheduling refresh on Service[httpd]
Notice: Applied catalog in 16.03 seconds

class hostname_problem ($enc_hostname) {
  notify {"WARNING: $enc_hostname ($::ipaddress) doesn't conform to naming standards": }
}

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1442120036'
Notice: WARNING: client.example.com (10.0.2.15) doesn't conform to naming standards
Notice: /Stage[main]/Hostname_problem/Notify[WARNING: client.example.com (10.0.2.15) doesn't conform to naming standards]/message: defined 'message' as 'WARNING: client.example.com (10.0.2.15) doesn't conform to naming standards'
Notice: Applied catalog in 0.03 seconds

If you already have an LDAP implementation in which you can extend the schema, then you can use the LDAP node terminus that is shipped with Puppet. The support for this backend for puppetserver has not been maintained as well as it was in the previous releases of Puppet. I still feel that this backend is useful for certain installations. I will outline the steps to be taken to have this backend operate with a puppetserver installation. Using this schema adds a new objectclass called puppetclass. Using this objectclass, you can set the environment, set top scope variables, and include classes. The LDAP schema that is shipped with Puppet includes puppetClass, parentNode, environment, and puppetVar attributes that are assigned to the objectclass named puppetClient. The LDAP experts should note that all four of these attributes are marked as optional and the objectclass named puppetClient is non-structural. To use the LDAP terminus, you must have a working LDAP implementation; apply the Puppet schema to that installation and add the ruby-ldap package to your Puppet masters (to allow the master to query for node information).

olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: packtpub

olcRootDN: cn=config
olcRootPW: packtpub

# ldapsearch -LLL -x -b'dc=example,dc=com'
No such object (32)

# curl -O https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema

include /etc/openldap/schema/puppet.schema

# mkdir /tmp/puppet-ldap
# slaptest -f puppet-ldap.conf -F /tmp/puppet-ldap/
config file testing succeeded

dn: cn=puppet,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: puppet
olcAttributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.10 NAME 'puppetClass' DESC 'Puppet Node Class' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.9 NAME 'parentNode' DESC 'Puppet Parent Node' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.11 NAME 'environment' DESC 'Puppet Node Environment' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.34380.1.1.3.12 NAME 'puppetVar' DESC 'A variable setting for puppet' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.34380.1.1.1.2 NAME 'puppetClient' DESC 'Puppet Client objectclass' SUP top AUXILIARY MAY ( puppetclass $ parentnode $ environment $ puppetvar ) )

# ldapadd -x -f cn\=\{0\}puppet.ldif -D'cn=config' -W
Enter LDAP Password: packtpub
adding new entry "cn=puppet,cn=schema,cn=config"

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example
dc: example

dn: ou=hosts,dc=example,dc=com
objectclass: organizationalUnit
ou: hosts

dn: ou=production,ou=hosts,dc=example,dc=com
objectclass: organizationalUnit
ou: production

# ldapadd -x -f start.ldif -D'cn=manager,dc=example,dc=com' -W
Enter LDAP Password: packtpub
adding new entry "dc=example,dc=com"
adding new entry "ou=hosts,dc=example,dc=com"
adding new entry "ou=production,ou=hosts,dc=example,dc=com"

dn: cn=web_main_lp01,ou=production,ou=hosts,dc=example,dc=com
objectclass: puppetClient
objectclass: device
puppetClass: web
puppetClass: base
puppetvar: role='Production Web Server'

# ldapadd -x -f web_main_lp01.ldif -D'cn=manager,dc=example,dc=com' -W
Enter LDAP Password: packtpub
adding new entry "cn=web_main_lp01,ou=production,ou=hosts,dc=example,dc=com"

node_terminus = ldap
ldapserver = ldap.example.com
ldapbase = ou=hosts,dc=example,dc=com

# puppetserver gem install jruby-ldap
Fetching: jruby-ldap-0.0.2.gem (100%)
Successfully installed jruby-ldap-0.0.2
1 gem installed

if RUBY_PLATFORM =~ /^java.*/i
  class LDAP::Entry
     def to_hash
        h = {}
        get_attributes.each { |a| h[a.downcase.to_sym] = self[a] }
        h[:dn] = [dn]
        h
     end
  end
end

class base {
  file {'/etc/motd':
    mode => '0644',
    owner => '0',
    group => '0',
    content => inline_template("Role: <%= @role %>\nManaged Node: <%= @hostname %>\nManaged by Puppet version <%= @puppetversion %>\n"),
  }
}

# cat /etc/motd
Role: 'Production Web Server'
Managed Node: web_main_lp01
Managed by Puppet version 4.2.1

#  node_terminus = ldap
#  ldapserver = puppet.example.com
#  ldapbase = ou=hosts,dc=example,dc=com

Hiera only needs to be installed on your Puppet master nodes. Using the Puppet Labs repo, Hiera is installed by the puppet-agent package. Our installation pulled down puppet-agent-1.2.2-1.el7.x86_64, which installs Hiera version 3.0.1, as shown here:

[thomas@stand ~]$ hiera --version
3.0.1

Previous versions of the command-line Hiera tool would expect the Hiera configuration file, hiera.yaml, in /etc/hiera.yaml. The previous versions of Puppet would expect the configuration file in /etc/puppet/hiera.yaml or /etc/puppetlabs/puppet/hiera.yaml, depending on the version of Puppet. This caused some confusion, as the command-line utility will, by default, search in a different file than Puppet. This problem has been corrected in Puppet 4; the Hiera configuration file is now located in the /etc/puppetlabs/code directory. The default location for the hieradata directory includes the value of the current environment and is located at /etc/puppetlabs/code/environments/%{environment}/hieradata.

Now, we can create a simple hiera.yaml in /etc/puppet/hiera.yaml to show how the hierarchy is applied to a node, as shown here:

---
:hierarchy:
  - "hosts/%{::hostname}"
  - "roles/%{::role}"
  - "%{::kernel}/%{::os.family}/%{:os.release.major}"
  - "is_virtual/%{::is_virtual}"
  - common
:backends:
  - yaml
:yaml:
  :datadir:

This hierarchy is quite basic. Hiera will look for a variable starting with the hostname of the node in the host's directory and then move to the top scope variable role in the directory roles. If a value is not found in the roles, it will look in the /etc/puppet/hieradata/kernel/osfamily/ directory (where kernel and osfamily will be replaced with the Facter values for these two facts) for a file named lsbmajdistrelease.yaml. On my test node, this would be /etc/puppet/hieradata/Linux/RedHat/6.yaml. If the value is not found there, then Hiera will continue to look in hieradata/is_virtual/true.yaml (as my node is a virtual machine, the value of is_virtual will be true). If the value is still not found, then the default file common.yaml will be tried. If the value is not found in common, then the command-line utility will return nil.

When using the hiera function in manifests, always set a default value, as failure to find anything in Hiera will lead to a failed catalog (although having the node fail when this happens is often used intentionally as an indicator of a problem).

As an example, we will set a variable syslogpkg to indicate which syslog package is used on our nodes. The syslog package is responsible for system logging. For EL7 and EL6 machines, the package is rsyslog; for EL5, the package is syslog. Create three YAML files, one for EL6 and EL7 at /etc/puppetlabs/code/environments/production/hieradata/Linux/RedHat/7.yaml using the following code:

---
syslogpkg: rsyslog  

Create another YAML file for EL5 at /etc/puppetlabs/code/environments/production/hieradata/Linux/RedHat/5.yaml using the following code:

---
syslogpkg: syslog

With these files in place, we can test our Hiera by setting top scope variables (facts), using a YAML file. Create a facts.yaml file with the following content:

is_virtual: true
kernel: Linux
os:
  family: RedHat
  release:
    major: "7"

We run Hiera three times, changing the value of os.release.major from 7 to 5 to 4 and observe the following results:

[thomas@stand ~]$ hiera syslogpkg -y facts.yaml environment=production
rsyslog
[thomas@stand ~]$ hiera syslogpkg -y facts.yaml environment=production
syslog
[thomas@stand ~]$ hiera syslogpkg -y facts.yaml environment=production
nil

In the previous commands, we change the value of os.release.major from 7 to 5 to 4 to simulate the nodes running on EL7, EL5 and EL4. We do not have a 4.yaml file, so there is no setting of syslogpkg and hiera that returns nil.

Now to use Hiera in our manifests, we can use the hiera function inline or set a variable using Hiera. When using Hiera, the syntax is hiera('variable','default'). The variable value is the key you are interested in looking at; the default value is the value to use when nothing is found in the hierarchy. Create a syslog module in /etc/puppet/modules/syslog/manifest/init.pp that starts syslog and makes sure the correct syslog is installed, as shown here:

class syslog {
  $syslogpkg = hiera('syslogpkg','syslog')
  package {"$syslogpkg":
    ensure => 'installed',
  }
  service {"$syslogpkg":
    ensure => true,
    enable => true,
  }
}

Then create an empty /etc/puppet/manifests/site.pp file that includes syslog, as shown here:

node default {
  include syslog
}

In this code, we set our default node to include the syslog module and then we define the syslog module. The syslog module looks for the Hiera variable syslogpkg to know which syslog package to install. Running this on our client node, we see that rsyslog is started as we are running EL7, as shown here:

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1442381098'
Notice: /Stage[main]/Syslog/Package[rsyslog]/ensure: created
Notice: /Stage[main]/Syslog/Service[rsyslog]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Syslog/Service[rsyslog]: Unscheduling refresh on Service[rsyslog]
Notice: Applied catalog in 7.83 seconds

In the enterprise, you want a way to automatically apply classes to nodes based on facts. This is part of a larger issue of separating the code of your modules from the data used to apply them. We will examine this issue in greater depth in Chapter 9, Roles and Profiles. Hiera has a function that makes this very easy—hiera_include. Using hiera_include, you can have Hiera apply classes to a node based upon the hierarchy.

To use hiera_include, we set a Hiera variable to hold the name of the classes we would like to apply to the nodes. By convention, this is called classes, but it could be anything. We'll also set a variable role that we'll use in our new base class. We modify site.pp to include all the classes defined in the Hiera variable classes. We also set a default value if no values are found; this way we can guarantee that the catalogs will compile and all the nodes receive at least the base class. Edit /etc/puppetlabs/code/environments/production/manifest/site.pp, as follows:

node default {
  hiera_include('classes', 'base')
}

For the base class, we'll just set the motd file, as we've done previously. We'll also set a welcome string in Hiera. In common.yaml, we'll set this to something generic and override the value in a hostname-specific YAML file. Edit the base class in /etc/puppetlabs/code/environments/production/modules/base/manifests/init.pp, as follows:

class base {
  $welcome = hiera('welcome','Welcome')
  file {'/etc/motd':
    mode => '0644',
    owner => '0',
    group => '0',
    content => inline_template("<%= @welcome %>\nManaged Node: <%= @hostname %>\nManaged by Puppet version <%= @puppetversion %>\n"),
  }
}

This is our base class; it uses an inline template to set up the message of the day file (/etc/motd). We then need to set the welcome information in hieradata; edit /etc/puppet/hieradata/common.yaml to include the default welcome message, as shown here:

---
welcome: 'Welcome to Example.com'
classes:
  - 'base'
syslogpkg: 'nothing'

Now we can run Puppet on our node1 machine. After the successful run, our /etc/motd file has the following content:

Welcome to Example.com
Managed Node: client
Managed by Puppet version 4.2.1

Now, to test if our hierarchy is working as expected, we'll create a YAML file specifically for client, /etc/puppetlabs/code/environments/production/hieradata/hosts/client.yaml, as follows:

---
welcome: 'Welcome to our default node'

Again, we run Puppet on client and examine the contents of /etc/motd, as shown here:

[thomas@client ~]$ cat /etc/motd
Welcome to our default node
Managed Node: client
Managed by Puppet version 4.2.1

Now that we have verified that our hierarchy performs as we expect, we can use Hiera to apply a class to all the nodes based on a fact. In this example, we'll use the is_virtual fact to do some performance tuning on our virtual machines. We'll create a virtual class in /etc/puppet/modules/virtual/manifests/init.pp, which installs the tuned package. It then sets the tuned profile to virtual-guest and starts the tuned service, as shown here:

class virtual {
  # performance tuning for virtual machine
  package {'tuned':
    ensure => 'present',
  }
  service {'tuned':
    enable => true,
    ensure => true,
    require => Package['tuned']
  }
  exec {'set tuned profile':
    command => '/usr/sbin/tuned-adm profile virtual-guest',
    unless => '/bin/grep -q virtual-guest /etc/tune-profiles/activeprofile',
  }
}

This module ensures that the tuned package is installed and the tuned service is started. It then verifies that the current tuned profile is set to virtual-guest (using a grep statement in the unless parameter to the exec). If the current profile is not virtual-guest, the profile is changed to virtual-guest using tuned-adm.

To ensure that this class is applied to all virtual machines, we simply need to add it to the classes Hiera variable in /etc/puppet/hieradata/is_virtual/true.yaml, as shown here:

---
classes:
  - 'virtual'

Now our test node client is indeed virtual, so if we run Puppet now, the virtual class will be applied to the node and we will see that the tuned profile is set to virtual-guest. Running tuned-adm active on the host returns the currently active profile. When we run it initially, the command is not available as the tuned rpm has not been installed yet, as you can see here:

[thomas@client ~]$ sudo tuned-adm active
sudo: tuned-adm: command not found

Next, we run puppet agent to set the active profile (tuned is installed by default on EL7 systems):

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1442383469'
Notice: /Stage[main]/Virtual/Exec[set tuned profile]/returns: executed successfully
Notice: Applied catalog in 1.15 seconds

Now, when we run tuned-adm active we see that the active profile has been changed accordingly:

[thomas@client ~]$ sudo tuned-adm active
Current active profile: virtual-guest

This example shows the power of using Hiera, with hiera_include and a well-organized hierarchy. Using this method, we can have classes applied to nodes based on facts and reduce the need for custom classes on nodes. We do, however, have the option of adding classes per node since we have a hosts/%{hostname} entry in our hierarchy. If you had, for instance, a module that only needed to be installed on 32-bit systems, you could make an entry in hiera.yaml for %{architecture} and only create an i686.yaml file that contained the class in question. Building up your classes in this fashion reduces the complexity of your individual node configurations.

In fact, in Puppet version 3, architecture is available as both architecture and os.architecture.

Another great feature of Hiera is its ability to automatically fill in values for parameterized class attributes. For this example, we will create a class called resolver and set the search parameter for our /etc/resolv.conf file using Augeas.

First, we will create a resolver class as follows in /etc/puppetlabs/code/environments/production/modules/resolver/manifests/init.pp:

class resolver($search = "example.com") {
  augeas { 'set resolv.conf search':
    context => '/files/etc/resolv.conf',
    changes => [
      "set search/domain '${search}'"
    ],
  }
}

Then we add resolver to our classes in /etc/puppetlabs/code/environments/production/hieradata/hosts/client.yaml, so as to have resolver applied to our node, as shown here:

---
welcome: 'Welcome to our default node'
classes:
  - resolver

Now we run Puppet on the client; Augeas will change the resolv.conf file to have the search domain set to the default example.com:

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1442411609'
Notice: Augeas[set resolv.conf search](provider=augeas): 
--- /etc/resolv.conf 2015-09-16 09:53:15.727804673 -0400
+++ /etc/resolv.conf.augnew 2015-09-16 09:53:28.108995714 -0400
@@ -2,3 +2,4 @@
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 domain example.com
+search example.com

Notice: /Stage[main]/Resolver/Augeas[set resolv.conf search]/returns: executed successfully
Notice: Applied catalog in 1.41 seconds

Now, to get Hiera to override the default parameter for the parameterized class resolver, we simply set the Hiera variable resolver::search in our /etc/puppetlabs/code/environments/production/hieradata/hosts/client.yaml file, as shown here:

---
welcome: 'Welcome to our default node'
classes:
  - resolver
resolver::search: 'devel.example.com'

Running puppet agent another time on node1 will change the search from example.com to devel.example.com, using the value from the Hiera hierarchy file, as you can see here:

[thomas@client ~]$ sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1442411732'
Notice: Augeas[set resolv.conf search](provider=augeas): 
--- /etc/resolv.conf	2015-09-16 09:53:28.155509013 -0400
+++ /etc/resolv.conf.augnew	2015-09-16 09:55:30.656393427 -0400
@@ -2,4 +2,4 @@
 nameserver 8.8.8.8
 nameserver 8.8.4.4
 domain example.com
-search example.com
+search devel.example.com

Notice: /Stage[main]/Resolver/Augeas[set resolv.conf search]/returns: executed successfully
Notice: Applied catalog in 0.94 seconds

By building up your catalog in this fashion, it's possible to override parameters of any class. At this point, our client machine has the virtual, resolver and base classes, but our site manifest (/etc/puppet/manifests/site.pp) only has a hiera_include line, as shown here:

node default {
  hiera_include('classes',base)
}

In the enterprise, this means that you can add new hosts without modifying your site manifest and that you can customize the classes and any parameters to those classes.

Two other functions exist for using Hiera; they are hiera_array and hiera_hash. These functions do not stop at the first match found in Hiera and instead return either an array or hash of all the matches. This can also be used in powerful ways to build up definitions of variables. One good use of this is in setting the name servers a node will query. Using hiera_array instead of the hiera function, you can not only set nameservers based on the hostname of the node or some other facts, but also have the default nameservers from your common.yaml file applied to the node.

Hiera's main configuration file can also use environment, as a variable. This leads us to two options: a single hierarchy with the environment as a hierarchy item and multiple hierarchies where the path to the hieradata directory comes from the environment setting. To have separate hieradata trees, you can use environment in the datadir setting for the backend, or to have parts of the hierarchy tied to your environment, put %{::environment} in the hierarchy.

Stand# cd /etc/puppetlabs/code/environments
stand# cp -a production/hieradata development

:yaml:
  :datadir: '/etc/puppetlabs/code/environments/%{::environment}/hieradata'

---
welcome: 'Production Node: watch your step.'

---
welcome: "Development Node: it can't rain all the time."

[root@client ~]# puppet agent -t
…
Notice: /Stage[main]/Base/File[/etc/motd]/ensure: defined content as '{md5}8147bf5dbb04eba29d5efb7e0fa28ce2'
Notice: Applied catalog in 0.83 seconds
[root@client ~]# cat /etc/motd
Production Node: watch your step.
Managed Node: client
Managed by Puppet version 4.2.2

[root@client ~]# puppet agent -t --environment=development
…
Notice: /Stage[main]/Base/File[/etc/motd]/content: 
--- /etc/motd   2015-09-30 21:35:59.523156901 -0700
+++ /tmp/puppet-file20150930-3185-1vyeusl       2015-09-30 21:45:18.444186406 -0700
@@ -1,3 +1,3 @@
-Production Node: watch your step.
+Development Node: it can't rain all the time.
 Managed Node: client
 Managed by Puppet version 4.2.2

Info: Computing checksum on file /etc/motd
Info: /Stage[main]/Base/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum 8147bf5dbb04eba29d5efb7e0fa28ce2
Notice: /Stage[main]/Base/File[/etc/motd]/content: content changed '{md5}8147bf5dbb04eba29d5efb7e0fa28ce2' to '{md5}dc504aeaeb934ad078db900a97360964'
Notice: Applied catalog in 0.04 seconds

---
:hierarchy:
  - "environments/%{environment}"
  - "hosts/%{hostname}"
  - "roles/%{role}"
  - "%{kernel}/%{os.family}/%{os.release.major}"
  - "is_virtual/%{is_virtual}"
  - common
:backends:
  - yaml
:yaml:
  :datadir: '/etc/puppetlabs/code/hieradata'

---
welcome: 'Single tree production welcome'

---
welcome: 'Development in Single Tree'

[root@client ~]# puppet agent -t
…
Notice: /Stage[main]/Base/File[/etc/motd]/content: 
--- /etc/motd   2015-09-30 21:45:18.465186407 -0700
+++ /tmp/puppet-file20150930-3221-bh9ik5        2015-09-30 21:53:43.283213056 -0700
@@ -1,3 +1,3 @@
-Development Node: it can't rain all the time.
+Single tree production welcome
…
Notice: Applied catalog in 0.67 seconds

Our configuration for Hiera did not specify production or development environments in hiera.yaml. We used the environment value to fill in a path on the filesystem. The directory environments in Puppet function the same way. Directory environments are the preferred method for configuring environments. When using directory environments, it is important to always account for the production environment, since it is the default setting for any node, when environment is not explicitly set.

Puppet determines where to look for directory environments, based on the environmentpath configuration variable. In Puppet 4, the default environmentpath is /etc/puppetlabs/code. Within each environment, an environment.conf file can be used to specify modulepath, manifest, config_version and environment_timeout per environment. When Puppet compiles a catalog, it will run the script specified by config_version and use the output as the config version of the catalog. This provides a mechanism to determine which code was used to compile a specific catalog.

Versions 3.7 and above of Puppet also support a parser setting, which determines which parser (current or future) is used to compile the catalog in each environment. In version 4 and above, the future parser is the only available parser. Using the parser setting, it is possible to test your code against the future parser before upgrading from Puppet 3.x to 4. The usage scenario for the parser option will be to upgrade your development environments to the future parser and fix any problems you encounter along the way. You will then promote your code up to production and enable the future parser in production.

Using the manifest option in environment.conf, it is possible to have a per environment site manifests. If your enterprise requires a site manifest to be consistent between environments, you can set disable_per_environment_manifest = true in puppet.conf to use the same site manifest for all environments.

If an environment does not specify a manifest in environment.conf, the manifest specified in default_manifest is used. A good use of this setting is to specify a default manifest and not specify one within your environment.conf files. You can then test a new site manifest in an environment by adding it to the environment.conf within that environment.

The modulepath within environment.conf may have relative paths and absolute paths. To illustrate, consider the environment named mastering. In the mastering directory within environmentpath (/etc/puppetlabs/code/environments), the environment.conf file has modulepath set to modules:public:/etc/puppetlabs/code/modules. When searching for modules in the mastering environment, Puppet will search the following locations:

Another useful setting in puppet.conf is basemodulepath. You may configure basemodulepath to a set of directories containing your enterprise wide modules or modules that are shared across multiple environments. The $basemodulepath variable is available within environment.conf. A typical usage scenario is to have modulepath within environment.conf configured with $basemodulepath, defined first in the list of directories, as shown here:

modulepath=$basemodulepath:modules:site:/etc/puppetlabs/code/modules

A great use of directory environments is to create test environments where you can experiment with modifications to your site manifest without affecting other environments. (provided you haven't used the disable_per_environment_manifest setting). As an example, we'll create a sandbox environment and modify the manifest within that environment.

Create the sandbox directory and environment.conf with the following contents:

manifest=/etc/puppetlabs/code/test

Now, create the site manifest at /etc/puppetlabs/code/test/site.pp with the following code:

node default {
  notify {"Trouble in the Henhouse": }
}

Now when you do an agent run on the client node against the sandbox environment, the site manifest in /etc/puppetlabs/code/test will be used, as shown here:

[root@client ~]# puppet agent -t --environment sandbox
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.local
Info: Applying configuration version '1443285153'
Notice: Trouble in the Henhouse
Notice: /Stage[main]/Main/Node[default]/Notify[Trouble in the Henhouse]/message: defined 'message' as 'Trouble in the Henhouse'
Notice: Applied catalog in 0.02 seconds

This type of playing around with environments is great for a single developer, but when you are working in a large team, you'll need some version control and automation to convert this to a workable solution. With a large team, it is important that admins do not interfere with each other when making changes to the /etc/puppetlabs/code directory. In the next section, we'll use Git to automatically create environments and share environments between developers.

For further reading on environments, refer to the Puppet Labs website at http://docs.puppetlabs.com/guides/environment.html.

Git is the de facto version control software with Puppet because of its implementation of rapid branching. There are numerous other reasons for using Git in general. Each user of Git is given a complete copy of the revision history whenever they clone a Git repository. Each developer is capable of acting as a backup for the repository, should the need arise. Git allows each developer to work independently from the master repository; thus, allowing developers to work offsite and even without network connectivity.

This section isn't intended to be an exhaustive guide of using Git. We'll cover enough commands to get your job done, but I recommend that you do some reading on the subject to get well acquainted with the tool.

To get started with Git, we need to create a bare repository. By bare, we mean that only the meta information and checksums will be stored; the files will be in the repository but only in the checksum form. Only the main location for the repository needs to be stored in this fashion.

In the enterprise, you want the Git server to be a separate machine, independent of your Puppet master. Perhaps, your Git server isn't even specific for your Puppet implementation. The great thing about Git is that it doesn't really matter at this point; we can put the repository wherever we wish.

To make things easier to understand, we'll work on our single worker machine for now, and in the final section, we will create a new Git server to hold our Git repository.

On our standalone machine, install Git using yum, as shown here:

[root@stand ~]# yum install -y git
...
Installed:  git.x86_64 0:1.8.3.1-5.el7

Now, decide on a directory to hold all your Git repositories. We'll use /var/lib/git in this example.

The /var/lib/git path closely resembles the paths used by other EL packages. Since running everything as root is unnecessary, we will create a Git user and make that user the owner of the Git repositories.

Create the directory to contain our repository first (/var/lib/git) and then create an empty Git repository (using the git init –bare command) in that location, as shown in the following code:

[root@stand ~]# useradd git -c 'Git Repository Owner' -d /var/lib/git
[root@stand ~]# sudo -iu git
[git@stand ~]$ pwd
/var/lib/git
[git@stand ~]$ chmod 755 /var/lib/git
[git@stand ~]$ git init --bare control.git
Initialized empty Git repository in /var/lib/git/control.git/
[git@stand ~]$ cd /tmp
[git@stand tmp]$ git clone /var/lib/git/control.git
Cloning into 'control'...
warning: You appear to have cloned an empty repository.
done.
[git@stand tmp]$ cd control
[git@stand control]$ git status
# On branch master
#
# Initial commit
#
nothing to commit (create/copy files and use "git add" to track)

Now that our repository is created, we should start adding files to the repository. However, we should first configure Git. Git will store our username and e-mail address with each commit. These settings are controlled with the git config command. We will add the --global option to ensure that the config file in ~/.git is modified, as shown in the following example:

[git@stand ~]$ git config --global user.name 'Git Repository Owner'
[git@stand ~]$ git config --global user.email 'git@example.com' 

Now, we'll copy in our production modules and commit them. We'll copy the files from the /etc/puppet/environments/production directory of our worker machines and then add them to the repository using the git add command, as shown here:

[git@stand ~]$ cd /tmp/control/
[git@stand control]$ cp -a /etc/puppetlabs/code/environments/production/* .
[git@stand control]$ ls environment.conf  hieradata  manifests  modules
[git@stand control]$ git status
# On branch master
#
# Initial commit
#
# Untracked files:
#   (use "git add <file>..." to include in what will be committed)
#
#       environment.conf
#       hieradata/
#       manifests/

#       modules/
nothing added to commit but untracked files present (use "git add" to track) 

We've copied our hieradata, manifests, and modules directories, but Git doesn't know anything about them. We now need to add them to the Git repository and commit to the default branch master. This is done with two Git commands, first using git add and then using git commit, as shown in the following code:

[git@stand control]$ git add hieradata manifests modules environment.conf
[git@stand control]$ git commit -m "initial commit"
[master (root-commit) 316a391] initial commit14 files changed, 98 insertions(+)…
 create mode 100644 modules/web/manifests/init.pp

At this point, we've committed our changes to our local copy of the repository. To ensure that we understand what is happening, we'll clone the initial location again into another directory (/tmp/control2), using the following commands:

[git@stand control]$ cd /tmp
[git@stand tmp]$ mkdir control2
[git@stand tmp]$ git clone /var/lib/git/control.git .fatal: destination path '.' already exists and is not an empty directory.
[git@stand tmp]$ cd control2
[git@stand control2]$ git clone /var/lib/git/control.git .Cloning into '.'...warning: You appear to have cloned an empty repository.done.
[git@stand control2]$ ls 

Our second copy doesn't have the files we just committed, and they only exist in the first local copy of the repository. One of the most powerful features of Git is that it is a self-contained environment. Going back to our first clone (/tmp/control), examine the contents of the .git/config file. The url setting for remote "origin" points to the remote master that our repository is based on (/var/lib/git/control.git), as shown in the following code:

[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[remote "origin"]
        url = /var/lib/git/control.git
        fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
        remote = origin
        merge = refs/heads/master 

In Git, origin is where the original remote repository lives. In this example, it is a local location (/var/lib/git/control.git), but it can also be an HTTPS URI or SSH URI.

To push the local changes to the remote repository, we use git push; the default push operation is to push it to the first [remote] repository (named origin by default) to the currently selected branch (the current branch is given in the output from git status). The default branch in Git is named master, as we can see in the [branch "master"] section. To emphasize what we are doing, we'll type in the full arguments to push (although git push will achieve the same result in this case), as you can see here:

[git@stand control]$ cd
[git@stand ~]$ cd /tmp/control
[git@stand control]$ git push origin master
Counting objects: 34, done.
Compressing objects: 100% (15/15), done.
Writing objects: 100% (34/34), 3.11 KiB | 0 bytes/s, done.
Total 34 (delta 0), reused 0 (delta 0)
To /var/lib/git/control.git
 * [new branch]      master -> master 

Now, even though our remote repository has the updates, they are still not available in our second copy (/tmp/control2). We must now pull the changes from the origin to our second copy using git pull. Again, we will type in the full argument list (this time, git pull will do the same thing), as shown here:

[git@stand ~]$ cd /tmp/control
[git@stand control]$ git push origin master
Counting objects: 34, done.
Compressing objects: 100% (15/15), done.
Writing objects: 100% (34/34), 3.11 KiB | 0 bytes/s, done.
Total 34 (delta 0), reused 0 (delta 0)
To /var/lib/git/control.git
 * [new branch]      master -> master
[git@stand control]$ cd
[git@stand ~]$ cd /tmp/control2
[git@stand control2]$ git status
# On branch master
#
# Initial commit
#
nothing to commit (create/copy files and use "git add" to track)
[git@stand control2]$ ls
[git@stand control2]$ git pull origin master
remote: Counting objects: 34, done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 34 (delta 0), reused 0 (delta 0)
Unpacking objects: 100% (34/34), done.
From /var/lib/git/control
 * branch            master     -> FETCH_HEAD
[git@stand control2]$ ls
environment.conf  hieradata  manifests  modules 

Two useful commands that you should know at this point are git log and git show. The git log command will show you the log entries from Git commits. Using the log entries, you can run git show to piece together what your fellow developers have been doing. The following snippet shows the use of the following two commands in our example:

[git@stand control2]$ git log
commit 316a391e2641dd9e44d2b366769a64e88cc9c557
Author: Git Repository Owner <git@example.com>
Date:   Sat Sep 26 19:13:41 2015 -0400

    initial commit
[git@stand control2]$ git show 316a391e2641dd9e44d2b366769a64e88cc9c557
commit 316a391e2641dd9e44d2b366769a64e88cc9c557
Author: Git Repository Owner <git@example.com>
Date:   Sat Sep 26 19:13:41 2015 -0400

    initial commit

diff --git a/environment.conf b/environment.conf
new file mode 100644
index 0000000..c39193f
--- /dev/null
+++ b/environment.conf
@@ -0,0 +1,18 @@
+# Each environment can have an environment.conf file. Its settings will only
+# affect its own environment. See docs for more info:
+# https://docs.puppetlabs.com/puppet/latest/reference/config_file_environment.html
...

The git show command takes the commit hash as an optional argument and returns all the changes that were made with that hash.

Now that we have our code in the repository, we need to create a production branch for our production code. Branches are created using git branch. The important concept to be noted is that they are local until they are pushed to the origin. When git branch is run without arguments, it returns the list of available branches with the currently selected branch highlighted with an asterisk, as shown here:

[git@stand ~]$ cd /tmp/control
[git@stand control]$ git branch
* master
[git@stand control]$ git branch production
[git@stand control]$ git branch
* master
  production 

This sometimes confuses people. You have to checkout the newly created branch after creating it. You can do this in one step using the git checkout -b <branch_name> command, but I believe using this shorthand command initially leads to confusion. We'll now check our production branch and make a change. We will then commit to the local repository and push to the remote, as shown here:

[git@stand control]$ git checkout production
Switched to branch 'production'
[git@stand control]$ git branch
  master
* production
[git@stand control]$ cd hieradata/hosts/
[git@stand hosts]$ sed -i -e 's/watch your step/best behaviour/' client.yaml 
[git@stand hosts]$ git add client.yaml 
[git@stand hosts]$ git commit -m "modifying welcome message on client"
[production 74d2ff5] modifying welcome message on client
 1 file changed, 1 insertion(+), 1 deletion(-)
[git@stand hosts]$ git push origin production
Counting objects: 9, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 569 bytes | 0 bytes/s, done.
Total 5 (delta 1), reused 0 (delta 0)
To /var/lib/git/control.git
 * [new branch]      production -> production n

Now, in our second copy of the repository, let's confirm that the production branch has been added to the origin, using git fetch to retrieve the latest metadata from the remote origin, as shown here:

[git@stand hosts]$ cd /tmp/control2/
[git@stand control2]$ git branch -a
* master
[git@stand control2]$ git fetch
remote: Counting objects: 9, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 5 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (5/5), done.
From /var/lib/git/control
 * [new branch]      master     -> origin/master
 * [new branch]      production -> origin/production
[git@stand control2]$ git branch -a
* master
  remotes/origin/master
  remotes/origin/production 

It is important to run git fetch routinely, to take a look at the changes that your teammates may have made and branches that they may have created. Now, we can verify whether the production branch has the change we made. The –a option to git branch instructs Git to include remote branches in the output. We'll display the current contents of client.yaml and then run git checkout production to see the production version, as shown here:

[git@stand control2]$ grep welcome hieradata/hosts/client.yaml 
welcome: 'Production Node: watch your step.'
[git@stand control2]$ git checkout production
Branch production set up to track remote branch production from origin.
Switched to a new branch 'production'
[git@stand control2]$ grep welcome hieradata/hosts/client.yaml 
welcome: 'Production Node: best behaviour.'

As we can see, the welcome message in the production branch is different from that of the master branch. At this point, we'd like to have the production branch in /etc/puppetlabs/code/environments/production and the master branch in /etc/puppetlabs/code/environments/master. We'll perform these commands, as the root user, for now:

[root@stand ~]# cd /etc/puppetlabs/code/
[root@stand code]# mv environments environments.orig
[root@stand code]# mkdir environments
[root@stand code]# cd environments
[root@stand environments]# for branch in production master
> do
> git clone -b $branch /var/lib/git/control.git $branch
> done
Cloning into 'production'...
done.
Cloning into 'master'...
done. 

Now that our production branch is synchronized with the remote, we can do the same for the master branch and verify whether the branches differ, using the following command:

[root@stand environments]# diff production/hieradata/hosts/client.yaml master/hieradata/hosts/client.yaml 
2c2
< welcome: 'Production Node: best behaviour.'
---
> welcome: 'Production Node: watch your step.'

Running Puppet on client in the production environment will now produce the change we expect in /etc/motd, as follows:

Production Node: best behaviour.
Managed Node: client
Managed by Puppet version 4.2.2 

:datadir: "/etc/puppetlabs/code/environments/%{::environment}/hieradata"

Run the agent again with the master environment, to change motd, as shown here:

[root@client ~]# puppet agent -t --environment master
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for client.example.com
Info: Applying configuration version '1443313038'
Notice: /Stage[main]/Virtual/Exec[set tuned profile]/returns: executed successfully
Notice: /Stage[main]/Base/File[/etc/motd]/content: 
--- /etc/motd   2015-10-01 22:23:02.786866895 -0700
+++ /tmp/puppet-file20151001-12407-16iuoej      2015-10-01 22:24:02.999870073 -0700
@@ -1,3 +1,3 @@
-Production Node: best behaviour.
+Production Node: watch your step.
 Managed Node: client
 Managed by Puppet version 4.2.2

Info: Computing checksum on file /etc/motd
Info: /Stage[main]/Base/File[/etc/motd]: Filebucketed /etc/motd to puppet with sum 490af0a672e3c3fdc9a3b6e1bf1f1c7b
Notice: /Stage[main]/Base/File[/etc/motd]/content: content changed '{md5}490af0a672e3c3fdc9a3b6e1bf1f1c7b' to '{md5}8147bf5dbb04eba29d5efb7e0fa28ce2'
Notice: Applied catalog in 1.07 seconds 

Our standalone Puppet master is now configured such that each branch of our control repository is mapped to a separate Puppet environment. As new branches are added, we have to set up the directory manually and push the contents to the new directory. If we were working in a small environment, this arrangement of Git pulls will be fine; but, in an enterprise, we would want this to be automatic. In a large environment, you would also want to define your branching model to ensure that all your team members are working with branches in the same way. Good places to look for branching models are http://nvie.com/posts/a-successful-git-branching-model/ and https://git-scm.com/book/en/v2/Git-Branching-Branching-Workflows. Git can run scripts at various points in the commitment of code to the repository—these scripts are called hooks.

Git provides several hook locations that are documented in the githooks man page. The hooks of interest are post-receive and pre-receive. A post-receive hook is run after a successful commit to the repository and a pre-receive hook is run before any commit is attempted. Git hooks can be written in any language; the only requirement is that they should be executable.

Each time you commit to a Git repository, Git will create a hash that is used to reference the state of the repository after the commit. These hashes are used as references to the state of the repository. A branch in Git refers to a specific hash, you can view this hash by looking at the contents of .git/HEAD, as shown here:

[root@stand production]# cat .git/HEAD
ref: refs/heads/production

The hash will be in the file located at .git/refs/heads/production, as shown here:

[root@stand production]# cat .git/refs/heads/production 
74d2ff58470d009e96d9ea11b9c126099c9e435a

The post-receive and pre-receive hooks are both passed three parameters via stdin: the first is the commit hash that you are starting from (oldrev), the second is the new commit hash that you are creating (newrev), and the third is a reference to the type of change that was made to the repository, where the reference is the branch that was updated. Using these hooks, we can automate our workflow. We'll start using the post-receive hook to set up our environments for us.

#!/bin/bash
PUPPETDIR=/etc/puppetlabs/code/environments
REPOHOME=/var/lib/git/control.git
GIT=/bin/git
umask 0002
unset GIT_DIR

read oldrev newrev refname
branch=${refname#*\/*\/}
if [ -z $branch ]; then
 echo "ERROR: Updating $PUPPETDIR"
 echo "       Branch undefined"
 exit 10
fi

# if directory exists, check it is a git repository
if [ -d "$PUPPETDIR/$branch/.git" ]; then
  cd $PUPPETDIR/$branch
  echo "Updating $branch in $PUPPETDIR"
  sudo -u puppet $GIT pull origin $branch
  exit=$?

elif [ -d "$PUPPETDIR/$branch" ]; then
  # directory exists but is not in git
  echo "ERROR: Updating $PUPPETDIR"
  echo "       $PUPPETDIR/$branch is not a git repository"
  exit=20

else
  # directory does not exist, create
  cd $PUPPETDIR
  echo "Creating new branch $branch in $PUPPETDIR"
  sudo -u puppet $GIT clone -b $branch $REPOHOME $branch
  exit=$?
fi

exit $exit

git ALL = (puppet) NOPASSWD: /bin/git *

[root@stand ~]# chown puppet /etc/puppetlabs/code/environments 
[root@stand ~]# sudo -iu git
[git@stand ~]$ ls /etc/puppetlabs/code/environments
master  production
[git@stand ~]$ cd /tmp/control
[git@stand control]$ git branch thomas
[git@stand control]$ git checkout thomas
Switched to branch 'thomas'
 1 files changed, 1 insertions(+), 1 deletions(-)
[git@stand control]$ sed -i hieradata/hosts/client.yaml -e "s/welcome:.*/welcome: 'Thomas Branch'/"
[git@stand control]$ git add hieradata/hosts/client.yaml
[git@stand control]$ git commit -m "Creating thomas branch"
[thomas 598d13b] Creating Thomas branch
 1 file changed, 1 insertion(+)
[git@stand control]$ git push origin thomas
Counting objects: 9, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 501 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
To /var/lib/git/control.git
 * [new branch]      thomas -> thomas
remote: Creating new branch thomas in /etc/puppetlabs/code/environments
remote: Cloning into 'thomas'...
remote: done.
To /var/lib/git/control.git
   b0fc881..598d13b  thomas -> thomas
[git@stand control]$ ls /etc/puppetlabs/code/environments
master  production  thomas

[root@client ~]# puppet agent -t --environment thomas
…
Notice: /Stage[main]/Base/File[/etc/motd]/content: 
--- /etc/motd   2015-10-01 22:24:03.057870076 -0700
+++ /tmp/puppet-file20151001-12501-1y5tl02      2015-10-01 22:55:59.132971224 -0700
@@ -1,3 +1,3 @@
-Production Node: watch your step.
+Thomas Branch
…
Notice: Applied catalog in 1.78 seconds 

[root@stand ~]# curl https://raw.githubusercontent.com/pdxcat/puppet-sync/4201dbe7af4ca354363975563e056edf89728dd0/puppet-sync >/usr/bin/puppet-sync
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7246  100  7246    0     0   9382      0 --:--:-- --:--:-- --:--:--  9373
[root@stand ~]# chmod 755 /usr/bin/puppet-sync

#!/bin/bash
PUPPETDIR=/etc/puppetlabs/code/environments
REPOHOME=/var/lib/git/control.git

read oldrev newrev refname
branch=${refname#*\/*\/}
if [ -z "$branch" ]; then
  echo "ERROR: Updating $PUPPETDIR"
  echo "       Branch undefined"
  exit 10
fi

[ "$newrev" -eq 0 ] 2> /dev/null && DELETE='--delete' || DELETE=''
sudo -u puppet /usr/bin/puppet-sync \
  --branch "$branch" \
  --repository "$REPOHOME" \
  --deploy "$PUPPETDIR" \
  $DELETE 

git ALL = (puppet) NOPASSWD: /bin/git *, /usr/bin/puppet-sync *

[root@stand hooks]# sudo -iu git
[git@stand ~]$ cd /tmp/control
[git@stand control]$ git branch puppet_sync
[git@stand control]$ git checkout puppet_sync
Switched to branch 'puppet_sync'
[git@stand control]$ sed -i hieradata/hosts/client.yaml -e "s/welcome:.*/welcome: 'Puppet_Sync Branch, underscores are cool.'/"
[git@stand control]$ git add hieradata/hosts/client.yaml 
[git@stand control]$ git commit -m "creating puppet_sync branch"
[puppet_sync e3dd4a8] creating puppet_sync branch
 1 file changed, 1 insertion(+), 1 deletion(-)
[git@stand control]$ git push origin puppet_sync
Counting objects: 9, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 499 bytes | 0 bytes/s, done.
Total 5 (delta 2), reused 0 (delta 0)
remote: .--------------------------------------------- PuppetSync ---
remote: | Host        : stand.example.com
remote: | Branch      : puppet_sync
remote: | Deploy To   : /etc/puppetlabs/code/environments/puppet_sync
remote: | Repository  : /var/lib/git/control.git
remote: `------------------------------------------------------------
To /var/lib/git/control.git
   e96c344..6efa315  puppet_sync -> puppet_sync

Up to this point, we've been working with the Git account to make our changes. In the real world, we want the developers to work with their own user account. We need to worry about permissions at this point. When each developer commits their code, the commit will run as their user; so, the files will get created with them as the owner, which might prevent other developers from pushing additional updates. Our post-receive hook will run as their user, so they need to be able to use sudo just like the Git user. To mitigate some of these issues, we'll use Git's sharedrepository setting to ensure that the files are group readable in /var/lib/git/control.git, and use sudo to ensure that the files in /etc/puppetlabs/code/environments are created and owned by the Puppet user.

We can use Git's built-in sharedrepository setting to ensure that all members of the group have access to the repository, but the user's umask setting might prevent files from being created with group-write permissions. Putting a umask setting in our script and running Git using sudo is a more reliable way of ensuring access. To create a Git repository as a shared repository, use shared=group while creating the bare repository, as shown here:

git@stand$ cd /var/lib/git
git@stand$ git init --bare --shared=group newrepo.git
Initialized empty shared Git repository in /var/lib/git/newrepo.git/

First, we'll modify our control.git bare repository to enable shared access, and then we'll have to retroactively change the permissions to ensure that group access is granted. We'll edit /var/lib/git/control.git/config, as follows:

[core]
        repositoryformatversion = 0
        filemode = true
        bare = true
        sharedrepository = 1

To illustrate our workflow, we'll create a new group and add a user to that group, as shown here:

[root@stand ~]# groupadd pupdevs
[root@stand ~]# useradd -g pupdevs -c "Sample Developer" samdev [root@stand ~]# id samdev
uid=1002(samdev) gid=1002(pupdevs) groups=1002(pupdevs)

Now, we need to retroactively go back and change the ownership of files in /var/lib/git/control.git to ensure that the pupdevs group has write access to the repository. We'll also set the setgid bit on that directory so that new files are group owned by pupdevs, as shown here:

[root@stand ~]# cd /var/lib/git
[root@stand git]# find control.git -type d -exec chmod g+rwxs {} \;
[root@stand git]# find control.git -type f -exec chmod g+rw {} \;
[root@stand git]# chgrp -R pupdevs control.git

Now, the repository will be accessible to anyone in the pupdevs group. We now need to add a rule to our sudoers file to allow anyone in the pupdevs group to run Git as the Puppet user, using the following code:

%pupdevs ALL = (puppet) NOPASSWD: /bin/git *, /usr/bin/puppet-sync *

If your repo is still configured to use puppet-sync to push updates, then you need to remove the production directory from /etc/puppetlabs/code/environments before proceeding. puppet-sync creates a timestamp file (.puppet-sync-stamp) in the base of the directories it controls and will not update an existing directory by default.

With this sudo rule in place, sudo to samdev, clone the repository and modify the production branch, as shown:

[root@stand git]# sudo -iu samdev
[samdev@stand ~]$ git clone /var/lib/git/control.git/
Cloning into 'control'...
done.
[samdev@stand ~]$ cd control/
[samdev@stand control]$ git config --global user.name "Sample Developer"
[samdev@stand control]$ git config --global user.email "samdev@example.com"
[samdev@stand control]$ git checkout production
Branch production set up to track remote branch production from origin.
Switched to a new branch 'production'
[samdev@stand control]$ sed -i hieradata/hosts/client.yaml -e "s/welcome: .*/welcome: 'Sample Developer made this change'/"
[samdev@stand control]$ echo "Example.com Puppet Control Repository" >README
[samdev@stand control]$ git add hieradata/hosts/client.yaml README 
[samdev@stand control]$ git commit -m "Sample Developer changing welcome"
[production 49b7367] Sample Developer changing welcome
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 README
[samdev@stand control]$ git push origin production
Counting objects: 10, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (6/6), 725 bytes | 0 bytes/s, done.
Total 6 (delta 0), reused 0 (delta 0)
To /var/lib/git/control.git/
   74d2ff5..49b7367  production -> production

We've updated our production branch. Our changes were automatically propagated to the Puppet environments directory. Now, we can run Puppet on a client (in the production environment) to see the changes, as shown:

[root@client ~]# puppet agent -t
Notice: /Stage[main]/Base/File[/etc/motd]/content: 
--- /etc/motd   2015-10-01 23:59:39.289172885 -0700
+++ /tmp/puppet-file20151002-12893-1pbrr8a      2015-10-02 00:01:24.552178442 -0700
@@ -1,3 +1,3 @@
-Production Node: best behaviour.
+Sample Developer made this change
…
Notice: Applied catalog in 0.95 seconds

Now, any user we add to the pupdevs group will be able to update our Puppet code and have it pushed to any branch. If we look in /etc/puppetlabs/code/environments, we can see that the owner of the files is also the Puppet user due to the use of sudo, as shown here:

[samdev@stand ~]$ ls -l /etc/puppetlabs/code/environments
total 12
drwxr-xr-x. 6 root   root     86 Sep 26 19:46 master
drwxr-xr-x. 6 puppet puppet 4096 Sep 26 22:02 production
drwxr-xr-x. 6 root   root     86 Sep 26 19:46 production.orig
drwxr-xr-x. 6 puppet puppet 4096 Sep 26 21:42 puppet_sync
drwxr-xr-x. 6 puppet puppet 4096 Sep 26 21:47 quiet
drwxr-xr-x. 6 puppet puppet   86 Sep 26 20:48 thomas

Our configuration at this point gives all users in the pupdevs group the ability to push changes to all branches. A usual complaint about Git is that it lacks a good system of access control. Using filesystem ACLs, it is possible to allow only certain users to push changes to specific branches. Another way to control commits is to use a pre-receive hook and verify if access will be granted before accepting the commit.

The pre-receive hook receives the same information as the post-receive hook. The hook runs as the user performing the commit so that we can use that information to block a user from committing to a branch or even doing certain types of commits. Merges, for instance, can be denied. To illustrate how this works, we'll create a new user called newbie and add them to the pupdevs group, using the following commands:

[root@stand ~]# useradd -g pupdevs -c "Rookie Developer" newbie
[root@stand ~]# sudo -iu newbie

We'll have newbie check our production code, make a commit, and then push the change to production, using the following commands:

[newbie@stand ~]$ git clone /var/lib/git/control.git
Cloning into 'control'...
done.
[newbie@stand ~]$ cd control
[newbie@stand control]$ git config --global user.name "Newbie"
[newbie@stand control]$ git config --global user.email "newbie@example.com"
[newbie@stand control]$ git checkout production
Branch production set up to track remote branch production from origin.
Switched to a new branch 'production'
[newbie@stand control]$ echo Rookie mistake >README
[newbie@stand control]$ git add README
[newbie@stand control]$ git commit -m "Rookie happens"
[production 23e0605] Rookie happens
 1 file changed, 1 insertion(+), 2 deletions(-)

Our rookie managed to wipe out the README file in the production branch. If this was an important file, then the deletion may have caused problems. It would be better if the rookie couldn't make changes to production. Note that this change hasn't been pushed up to the origin yet; it's only a local change.

We'll create a pre-receive hook that only allows certain users to commit to the production branch. Again, we'll use bash for simplicity. We will start by defining who will be allowed to commit and we are interested in protecting which branch, as shown in the following snippet:

#!/bin/bash

ALLOWED_USERS="samdev git root"
PROTECTED_BRANCH="production"

We will then use whoami to determine who has run the script (the developer who performed the commit), as follows:

user=$(whoami)

Now, just like we did in post-receive, we'll parse out the branch name and exit the script if we cannot determine the branch name, as shown in the following code:

read oldrev newrev refname
branch=${refname#*\/*\/}
if [ -z $branch ]; then
 echo "ERROR: Branch undefined"
 exit 10
fi

We compare the $branch variable against our protected branch and exit cleanly if this isn't a branch we are protecting, as shown in the following code. Exiting with an exit code of 0 informs Git that the commit should proceed:

if [ "$branch" != "$PROTECTED_BRANCH" ]; then
  # branch not protected, exit cleanly
  exit 0
fi

If we make it to this point in the script, we are on the protected branch and the $user variable has our username. So, we will just loop through the $ALLOWED_USERS variable looking for a user who is allowed to commit to the protected branch. If we find a match, we will exit cleanly, as shown in the following code:

for allowed in $ALLOWED_USERS
do
  if [ "$user" == "$allowed" ]; then
    # user allowed, exit cleanly
    echo "$PROTECTED_BRANCH change for $user"
    exit 0
  fi
done

If the user was not in the $ALLOWED_USERS variable, then their commit is denied and we exit with a non-zero exit code to inform Git that the commit should not be allowed, as shown in the following code:

# not an allowed user
echo "Error: Changes to $PROTECTED_BRANCH must be made by $ALLOWED_USERS"
exit 10

Save this file with the name pre-receive in /var/lib/git/puppet.git/hooks/ and then change the ownership to git. Make it executable using the following commands:

[root@stand ~]# chmod 755  /var/lib/git/control.git/hooks/pre-receive
[root@stand ~]# chown git:git /var/lib/git/control.git/hooks/pre-receive 

Now, we'll go back and make a simple change to the repository as root. It is important to always get in the habit of running git fetch and git pull origin <branch> when you start working on a branch. You need to do this to ensure that you have the latest version of the branch from your origin:

[root@stand ~]# sudo -iu samdev
[samdev@stand ~]$ pwd
/home/samdev
[samdev@stand ~]$ ls
control
[samdev@stand ~]$ cd control
[samdev@stand control]$ git branch
  master
* production
[samdev@stand control]$ git fetch
[samdev@stand control]$ git pull origin production
From /var/lib/git/control
 * branch            production -> FETCH_HEAD
Already up-to-date.
[samdev@stand control]$ echo root >>README
[samdev@stand control]$ git add README
[samdev@stand control]$ git commit -m README
[production cd1be0f] README
 1 file changed, 1 insertion(+)

Now, with the simple changes made (we appended our username to the README file), we can push the change to the origin using the following command:

[samdev@stand control]$ git push origin production
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 324 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
To /var/lib/git/control.git/
   b387c00..cd1be0f  production -> production

As expected, there are no errors and the README file is updated in the production branch by our post-receive hook. Now, we will attempt a similar change, as the newbie user. We haven't pushed our earlier change, so we'll try to push the change now, but first we have to merge the changes that samdev made by using git pull, as shown here:

[newbie@stand control]$ git pull origin production
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 3 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
From /var/lib/git/control
 * branch            production -> FETCH_HEAD
Auto-merging README
CONFLICT (content): Merge conflict in README
Automatic merge failed; fix conflicts and then commit the result.

Our newbie user has wiped out the README file. They meant to append it to the file using two less than (>>) signs but instead used a single less than (>) sign and clobbered the file. Now, newbie needs to resolve the problems with the README file before they can attempt to push the change to production, as shown here:

[newbie@stand control]$ git add README
[newbie@stand control]$ git commit -m "fixing README"
[production 4ab787c] fixing README

Now newbie will attempt to push their changes up to the origin, as shown in the following example:

[newbie@stand control]$ git push origin production
Counting objects: 5, done.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 324 bytes | 0 bytes/s, done.
Total 3 (delta 1), reused 0 (delta 0)
remote: ERROR: Changes to production must be made by samdev git root
To /var/lib/git/control.git
 ! [remote rejected] production -> production (pre-receive hook declined)
error: failed to push some refs to '/var/lib/git/control.git'

We see the commit beginning—the changes from the local production branch in newbie are sent to the origin. However, before working with the changes, Git runs the pre-receive hook and denies the commit. So, from the origin's perspective, the commit never took place. The commit only exists in the newbie user's directory. If the newbie user wishes this change to be propagated, he'll need to contact either samdev, git, or root.

To pull in updates from the public module, you have to use the git pull command. First, add the public repository as a remote repository for our local clone as shown here:

[remotedev@client masteringpuppet]$ git remote add upstream git@github.com:uphillian/masteringpuppet.git
[remotedev@client masteringpuppet]$ git fetch upstream

The git fetch command is used to grab the latest data from the remote repository. With the latest version of the data available, we now use the git pull command to pull the latest changes into our current local branch as shown here:

[remotedev@client masteringpuppet]$ git pull upstream master
From github.com:uphillian/masteringpuppet
 * branch            master     -> FETCH_HEAD
Merge made by the 'recursive' strategy.
manifests/init.pp | 3 +++
 1 file changed, 3 insertions(+)
create mode 100644 manifests/init.pp

This will create an automatic merge of the upstream master branch in the local branch (provided there are no merge conflicts). Using the git tag command can be useful in this workflow. After each merge from the upstream public repository you can create a tag to refer to the current release of the repository. Using this local copy method we can use public modules within our organization without relying on direct connections to the public Internet. We are also able to make local modifications to our copy of the repository and maintain those changes independent of changes in the upstream module. This can become a problem if the upstream module makes changes that are incompatible with your changes. Any changes you make that can be pushed back to the upstream project are encouraged. Submitting a pull request on GitHub is a pain free way to share your improvements and modifications with the original developer.

When we distribute files with Puppet, we either send the whole file as is or we send over a template that has references to variables. The concat module offers us a chance to build up a file from fragments and have it reassembled on the node. Using concat, we can have files which live locally on the node incorporated into the final file as sections. More importantly, while working in a complex system, we can have more than one module adding sections to the file. In a simple example, we can have four modules, all of which operate on /etc/issue. The modules are as follows:

Using either the file or the template method to distribute the file won't work here because all of the four modules are modifying the same file. What makes this harder still is that we will have machines in our organization that require one, two, three, or all four of the modules to be applied. The concat module allows us to solve this problem in an organized fashion (not a haphazard series of execs with awk and sed). To use concat, you first define the container, which is the file that will be populated with the fragments. concat calls the sections of the file fragments. The fragments are assembled based on their order. The order value is assigned to the fragments and should have the same number of digits, that is, if you have 100 fragments then your first fragment should have 001, and not 1, as the order value. Our first module issue will have the following init.pp manifest file:

class issue {
  concat { 'issue':
    path => '/etc/issue',
  }
  concat::fragment {'issue_top':
    target  => 'issue',
    content => "Example.com\n",
    order   => '01',
  }
}

This defines /etc/issue as a concat container and also creates a fragment to be placed at the top of the file (order01). When applied to a node, the /etc/issue container will simply contain Example.com.

Our next module is issue_confidential. This includes the issue module to ensure that the container for /etc/issue is defined and we have our header. We then define a new fragment to contain the confidential warning, as shown in the following code:

class issue_confidential {
  include issue
  concat::fragment {'issue_confidential':
    target  => 'issue',
    content => "Unauthorised access to this machine is strictly prohibited. Use of this system is limited to authorised parties only.\n",
    order   => '05',
  }
}

This fragment has order05, so it will always appear after the header. The next two modules are issue_secret and issue_topsecret. They both perform the same function as issue_confidential but with different messages and orders, as you can see in the following code:

class issue_secret {
  include issue
  concat::fragment {'issue_secret':
    target  => 'issue',
    content => "All information contained on this system is protected, no information may be removed from the system unless authorised.\n",
    order   => '10',
  }
}
class issue_topsecret {
  include issue
  concat::fragment {'issue_topsecret':
    target  => 'issue',
    content => "You should forget you even know about this system.\n",
    order   => '15',
  }
}

We'll now add all these modules to the control repository in the dist directory. We also update the Puppetfile to include the location of the concat module, as shown here:

mod 'puppetlabs/concat'

We next need to update our environment.conf file to include the dist directory as shown here:

modulepath = modules:$basemodulepath:dist

Using our Hiera configuration from the previous chapter, we will modify the client.yaml file to contain the issue_confidential class as shown here:

---
welcome: 'Sample Developer made this change'
classes: 
  - issue_confidential

This configuration will cause the /etc/issue file to contain the header and the confidential warning. To have these changes applied to our /etc/puppetlabs/code/environments directory by r10k, we'll need to add all the files to the Git repository and push the changes, as shown here:

[samdev@stand control]$ git status
# On branch production
# Changes to be committed:
#   (use "git reset HEAD <file>..." to unstage)
#
#       modified:   Puppetfile
#       new file:   dist/issue/manifests/init.pp
#       new file:   dist/issue_confidential/manifests/init.pp
#       new file:   dist/issue_secret/manifests/init.pp
#    new file:   dist/issue_topsecret/manifests/init.pp
#       modified:   environment.conf
#       modified:   hieradata/hosts/client.yaml
#
[samdev@stand control]$ git commit -m "concat example"
[production 6b3e7ae] concat example
 7 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 dist/issue/manifests/init.pp
create mode 100644 dist/issue_confidential/manifests/init.pp
create mode 100644 dist/issue_secret/manifests/init.pp
create mode 100644 dist/issue_topsecret/manifests/init.pp
[samdev@stand control]$ git push origin production
Counting objects: 27, done.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (20/20), 2.16 KiB | 0 bytes/s, done.
Total 20 (delta 2), reused 0 (delta 0)
remote: production
remote: production change for samdev
To /var/lib/git/control.git/
   bab33bd..6b3e7ae  production -> production

Since concat was defined in our Puppetfile, we will now see the concat module in /etc/puppetlabs/code/environments/production/modules as shown here:

[samdev@stand control]$ ls /etc/puppetlabs/code/environments/production/modules/
concat  puppetdb  stdlib

We are now ready to run Puppet agent on client, after a successful Puppet agent run we see the following while attempting to log in to the system:

Example.com
Unauthorised access to this machine is strictly
prohibited. Use of this system is limited to authorized
parties only.
client login:

Now, we will go back to our client.yaml file and add issue_secret, as shown in the following snippet:

---
welcome: 'Sample Developer Made this change'
classes: - issue_confidential
         - issue_secret

After a successful Puppet run, the login looks like the following:

Example.com
Unauthorised access to this machine is strictly 
prohibited. Use of this system is limited to authorised 
parties only.
All information contained on this system is protected, no information may be removed from the system unless authorised.
client login:

Adding the issue_topsecret module is left as an exercise, but we can see the utility of being able to have several modules modify a file. We can also have a fragment defined from a file on the node. We'll create another module called issue_local and add a local fragment. To specify a local file resource, we will use the source attribute of concat::fragment, as shown in the following code:

class issue_local {
  include issue
  concat::fragment {'issue_local':
    target  => 'issue',
    source => '/etc/issue.local',
    order   => '99',
  }
}

Now, we add issue_local to client.yaml, but before we can run Puppet agent on client, we have to create /etc/issue.local, or the catalog will fail. This is a shortcoming of the concat module—if you specify a local path, then it has to exist. You can overcome this by having a file resource defined that creates an empty file if the local path doesn't exist, as shown in the following snippet:

file {'issue_local':
  path => '/etc/issue.local',
  ensure => 'file',
}

Then, modify the concat::fragment to require the file resource, as shown in the following snippet:

concat::fragment {'issue_local':
  target  => 'issue',
  source  => '/etc/issue.local',
  order   => '99',
  require => File['issue_local'],
}

Now, we can run Puppet agent on node1; nothing will happen but the catalog will compile. Next, add some content to /etc/issue.local as shown here:

node1# echo "This is an example node, avoid storing protected material here" >/etc/issue.local

Now after running Puppet, our login prompt will look like this:

Example.com
Unauthorised access to this machine is strictly 
prohibited. Use of this system is limited to authorised 
parties only.
All information contained on this system is protected, no information may be removed from the system unless authorised.
This is an example node, avoid storing protected material here
client login: 

There are many places where you would like to have multiple modules modify a file. When the structure of the file isn't easily determined, concat is the only viable solution. If the file is highly structured, then other mechanisms such as augeas can be used. When the file has a syntax of the inifile type, there is a module specifically made for inifiles.

The inifile module modifies the ini-style configuration files, such as those used by Samba, System Security Services Daemon (SSSD), yum, tuned, and many others, including Puppet. The module uses the ini_setting type to modify settings based on their section, name, and value. We'll add inifile to our Puppetfile and push the change to our production branch to ensure that the inifile module is pulled down to our client node on the next Puppet agent run. Begin by adding the inifile to the Puppetfile as shown here:

mod 'puppetlabs/inifile'

With the module in the Puppetfile and pushed to the repository, r10k will download the module as we can see from the listing of the production/modules directory:

[samdev@stand control]$ ls/etc/puppetlabs/code/environments/production/modules/
concat  inifile  puppetdb  stdlib

To get started with inifile, we'll look at an example in the yum.conf configuration file (which uses ini syntax). Consider the gpgcheck setting in the following /etc/yum.conf file:

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=3

As an example, we will modify that setting using puppet resource, as shown here:

[root@client ~]# puppet resource ini_setting dummy_name path=/etc/yum.conf section=main setting=gpgcheck value=0
Notice: /Ini_setting[dummy_name]/value: value changed '1' to '0'
ini_setting { 'dummy_name':
  ensure => 'present',
  value  => '0',
}

When we look at the file, we will see that the value was indeed changed:

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=0

The power of this module is the ability to change only part of a file and not clobber the work of another module. To show how this can work, we'll modify the SSSD configuration file. SSSD manages access to remote directories and authentication systems. It supports talking to multiple sources; we can exploit this to create modules that only define their own section of the configuration file. In this example, we'll assume there are production and development authentication LDAP directories called prod and devel. We'll create modules called sssd_prod and sssd_devel to modify the configuration file. Starting with sssd, we'll create a module which creates the /etc/sssd directory:

class sssd {
  file { '/etc/sssd':
    ensure => 'directory',
    mode   => '0755',
  }
}

Next we'll create sssd_prod and add a [domain/PROD] section to the file, as shown in the following snippet:

class sssd_prod {
  include sssd
  Ini_setting { require => File['/etc/sssd'] }
  ini_setting {'krb5_realm_prod':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/PROD',
    setting => 'krb5_realm',
    value   => 'PROD',
  }
  ini_setting {'ldap_search_base_prod':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/PROD',
    setting => 'ldap_search_base',
    value   => 'ou=prod,dc=example,dc=com',
  }
  ini_setting {'ldap_uri_prod':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/PROD',
    setting => 'ldap_uri',
    value   => 'ldaps://ldap.prod.example.com',
  }
ini_setting {'krb5_kpasswd_prod':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/PROD',
    setting => 'krb5_kpasswd',
    value   => 'secret!',
  }
  ini_setting {'krb5_server_prod':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/PROD',
    setting => 'krb5_server',
    value   => 'kdc.prod.example.com',
}

These ini_setting resources will create five lines within the [domain/PROD] section of the configuration file. We need to add PROD to the list of domains; for this, we'll use ini_subsetting as shown in the following snippet. The ini_subsetting type allows us to add sub settings to a single setting:

ini_subsetting {'domains_prod':
  path       => '/etc/sssd/sssd.conf',
  section    => 'sssd',
  setting    => 'domains',
  subsetting => 'PROD',
}

Now, we'll add sssd_prod to our client.yaml file and run puppet agent on client to see the changes, as shown here:

[root@client ~]# puppet agent -t
…
Info: Applying configuration version '1443519502'
Notice: /Stage[main]/Sssd_prod/File[/etc/sssd]/ensure: created
…
Notice: /Stage[main]/Sssd_prod/Ini_setting[krb5_server_prod]/ensure: created
Notice: /Stage[main]/Sssd_prod/Ini_subsetting[domains_prod]/ensure: created
Notice: Applied catalog in 1.07 seconds

Now when we look at /etc/sssd/sssd.conf, we will see the [sssd] and [domain/PROD] sections are created (they are incomplete for this example; you will need many more settings to make SSSD work properly), as shown in the following snippet:

[sssd]
domains = PROD

[domain/PROD]
krb5_server = kdc.prod.example.com
krb5_kpasswd = secret!
ldap_search_base = ou=prod,dc=example,dc=com
ldap_uri = ldaps://ldap.prod.example.com
krb5_realm = PROD

Now, we can create our sssd_devel module and add the same setting as that we did for PROD, changing their values for DEVEL, as shown in the following code:

class sssd_devel {
  include sssd
  Ini_setting { require => File['/etc/sssd'] }
  ini_setting {'krb5_realm_devel':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/DEVEL',
    setting => 'krb5_realm',
    value   => 'DEVEL',
  }
  ini_setting {'ldap_search_base_devel':  
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/DEVEL',
    setting => 'ldap_search_base',
    value   => 'ou=devel,dc=example,dc=com',
  }
  ini_setting {'ldap_uri_devel':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/DEVEL',
    setting => 'ldap_uri',
    value   => 'ldaps://ldap.devel.example.com',
  }
  ini_setting {'krb5_kpasswd_devel':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/DEVEL',
    setting => 'krb5_kpasswd',
    value   => 'DevelopersDevelopersDevelopers', 
  }
  ini_setting {'krb5_server_devel':
    path    => '/etc/sssd/sssd.conf',
    section => 'domain/DEVEL',
    setting => 'krb5_server',
    value   => 'dev1.devel.example.com',
  }

Again, we will add DEVEL to the list of domains using ini_subsetting, as shown in the following code:

ini_subsetting {'domains_devel':
  path    => '/etc/sssd/sssd.conf',
  section => 'sssd',
  setting => 'domains',
  subsetting => 'DEVEL',
}

Now, after adding sssd_devel to client.yaml, we run Puppet agent on client and examine the /etc/sssd/sssd.conf file after, which is shown in the following snippet:

[sssd]
domains = PROD DEVEL

[domain/PROD]
krb5_server = kdc.prod.example.com
krb5_kpasswd = secret!
ldap_search_base = ou=prod,dc=example,dc=com
ldap_uri = ldaps://ldap.prod.example.com
krb5_realm = PROD

[domain/DEVEL]
krb5_realm = DEVEL
ldap_uri = ldaps://ldap.devel.example.com
ldap_search_base = ou=devel,dc=example,dc=com
krb5_server = dev1.devel.example.com
krb5_kpasswd = DevelopersDevelopersDevelopers

As we can see, both realms have been added to the domains section and each realm has had its own configuration section created. To complete this example, we will need to enhance the SSSD module that each of these modules calls with include sssd. In that module, we will define the SSSD service and have our changes send a notify signal to the service. I would place the notify signal in the domain's ini_subsetting resource.

Having multiple modules work on the same files simultaneously can make your Puppet implementation a lot simpler. It's counterintuitive, but having the modules coexist means you don't need as many exceptions in your code. For example, the Samba configuration file can be managed by a Samba module, but shares can be added by other modules using inifile and not interfere with the main Samba module.

If your organization uses host-based firewalls, filters that run on each node filtering network traffic, then the firewall module will soon become a friend. On enterprise Linux systems, the firewall module can be used to configure iptables automatically. Effective use of this module requires having all your iptables rules in Puppet.

The default configuration can be a little confusing; there are ordering issues that have to be dealt with while working with the firewall rules. The idea here is to ensure that there are no rules at the start. This is achieved with purge, as shown in the following code:

resources { "firewall":
  purge => true
}

Next, we need to make sure that any firewall rules we define are inserted after our initial configuration rules and before our final deny rule. To ensure this, we use a resource default definition. Resource defaults are made by capitalizing the resource type. In our example, firewall becomes Firewall, and we define the before and require attributes such that they point to the location where we will keep our setup rules (pre) and our final deny statement (post), as shown in the following snippet:

Firewall {
  before => Class['example_fw::post'],
  require => Class['example_fw::pre'],
}

Because we are referencing example_fw::pre and example_fw::post, we'll need to include them at this point. The module also defines a firewall class that we should include. Rolling all that together, we have our example_fw class as the following:

class example_fw {
  include example_fw::post
  include example_fw::pre
  include firewall

  resources { "firewall":
    purge => true
  }
  Firewall {
    before => Class['example_fw::post'],
    require => Class['example_fw::pre'],
  }
}

Now we need to define our default rules to go to example_fw::pre. We will allow all ICMP traffic, all established and related TCP traffic, and all SSH traffic. Since we are defining example_fw::pre, we need to override our earlier require attribute at the beginning of this class, as shown in the following code:

class example_fw::pre {
  Firewall {
    require => undef,
  }

Then, we can add our rules using the firewall type provided by the module. When we define the firewall resources, it is important to start the name of the resource with a number, as shown in the following snippet. The numbers are used for ordering by the firewall module:

firewall { '000 accept all icmp':
  proto => 'icmp',
  action => 'accept',
}
firewall { '001 accept all to lo':
  proto => 'all',
  iniface => 'lo',
  action => 'accept',
}
firewall { '002 accept related established':
  proto => 'all',
  state => ['RELATED', 'ESTABLISHED'],
  action => 'accept',
}
firewall { '022 accept ssh':
  proto => 'tcp',
  dport => '22',
  action => 'accept',
}

Now, if we finished at this point, our rules would be a series of allow statements. Without a final deny statement, everything is allowed. We need to define a drop statement in our post class. Again, since this is example_fw::post, we need to override the earlier setting to before, as shown in the following code:

class example_fw::post {
  firewall { '999 drop all':
    proto => 'all',
    action => 'drop',
    before => undef,
  } 
}

Now, we can apply this class in our node1.yaml file and run Puppet to see the firewall rules getting rewritten by our module. The first thing we will see is the current firewall rules being purged.

Next, our pre section will apply our initial allow rules:

Notice: /Stage[main]/Example_fw::Pre/Firewall[002 accept related established]/ensure: created
Notice: /Stage[main]/Example_fw::Pre/Firewall[000 accept all icmp]/ensure: created
Notice: /Stage[main]/Example_fw::Pre/Firewall[022 accept ssh]/ensure: created
Notice: /Stage[main]/Example_fw::Pre/Firewall[001 accept all to lo]/ensure: created

Finally, our post section adds a drop statement to the end of the rules, as shown here:

Notice: /Stage[main]/Example_fw::Post/Firewall[999 drop all]/ensure: created
Notice: Finished catalog run in 5.90 seconds

Earlier versions of this module did not save the rules; you would need to execute iptables-save after the post section. The module now takes care of this so that when we examine /etc/sysconfig/iptables, we see our current rules saved, as shown in the following snippet:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:180]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT 
-A INPUT -i lo -m comment --comment "001 accept all to lo" -j ACCEPT 
-A INPUT -m comment --comment "002 accept related established" -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh" -j ACCEPT 
-A INPUT -m comment --comment "999 drop all" -j DROP 
COMMIT

Now that we have our firewall controlled by Puppet, when we apply our web module to our node, we can have it open port 80 on the node as well, as shown in the following code. Our earlier web module can just use include example_fw and define a firewall resource:

class web {
  package {'httpd':
    ensure => 'installed'
  }
  service {'httpd':
    ensure  => true,
    enable  => true,
    require => Package['httpd'],
  }
  include example_fw
  firewall {'080 web server':
    proto  => 'tcp',
    port   => '80',
    action => 'accept',
  }
}

Now when we apply this class to an EL6 node, el6, we will see that port 80 is applied after our SSH rule and before our deny rule as expected:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:164]
-A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT 
-A INPUT -i lo -m comment --comment "001 accept all to lo" -j ACCEPT 
-A INPUT -m comment --comment "002 accept related established" -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "022 accept ssh" -j ACCEPT 
-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "080 web server" -j ACCEPT 
-A INPUT -m comment --comment "999 drop all" -j DROP 
COMMIT

Using this module, it's possible to have very tight host-based firewalls on your systems that are flexible and easy to manage.

The logical volume manager module allows you to create volume groups, logical volumes, and filesystems with Puppet using the logical volume manager (lvm) tools in Linux.

If you are not comfortable with LVM, then I suggest you do not start with this module. This module can be of great help if you have products that require their own filesystems or auditing requirements that require application logs to be on separate filesystems. The only caveat here is that you need to know where your physical volumes reside, that is, which device contains the physical volumes for your nodes. If you are lucky and have the same disk layout for all nodes, then creating a new filesystem for your audit logs, /var/log/audit, is very simple. Assuming that we have an empty disk at /dev/sdb, we can create a new volume group for audit items and a logical volume to contain our filesystem. The module takes care of all the steps that have to be performed. It creates the physical volume and creates the volume group using the physical volume. Then, it creates the logical volume and creates a filesystem on that logical volume.

To show the lvm module in action, we'll create an lvm node that has a boot device and a second drive. On my system, the first device is /dev/sda and the second drive is /dev/sdb. We can see the disk layout using lsblk as shown in the following screenshot:

We can see that /dev/sdb is available on the system but nothing is installed on it. We'll create a new module called lvm_web, which will create a logical volume of 4 GB, and format it with an ext4 filesystem, as shown in the following code:

class lvm_web {
  lvm::volume {"lv_var_www":
    ensure => present,
    vg     => "vg_web",
    pv     => "/dev/sdb",
    fstype => "ext4",
    size   => "4G",
  }
}

Now we'll create an lvm.yaml file in hieradata/hosts/lvm.yaml:

---
welcome: 'lvm node'
classes:
  - lvm_web

Now when we run Puppet agent on lvm, we will see that the vg_web volume group is created, followed by the lv_var_www logical volume, and the filesystem after that:

Notice: /Stage[main]/Lvm_web/Lvm::Volume[lv_var_www]/Physical_volume[/dev/sdb]/ensure: created
Notice: /Stage[main]/Lvm_web/Lvm::Volume[lv_var_www]/Volume_group[vg_web]/ensure: created
Notice: /Stage[main]/Lvm_web/Lvm::Volume[lv_var_www]/Logical_volume[lv_var_www]/ensure: created
Notice: /Stage[main]/Lvm_web/Lvm::Volume[lv_var_www]/Filesystem[/dev/vg_web/lv_var_www]/ensure: created

Now when we run lsblk again, we will see that the filesystem was created:

Note that the filesystem is not mounted yet, only created. To make this a fully functional class, we would need to add the mount location for the filesystem and ensure that the mount point exists, as shown in the following code:

file {'/var/www/html':
  ensure => 'directory',
  owner  => '48',
  group  => '48',
  mode   => '0755',
}
mount {'lvm_web_var_www':
  name => '/var/www/html',
  ensure  => 'mounted',
  device  => "/dev/vg_web/lv_var_www",
  dump    => '1',
  fstype  => "ext4",
  options => "defaults",
  pass    => '2',
  target  => '/etc/fstab',
  require => [Lvm::Volume["lv_var_www"],File["/var/www/html"]],
}

Now when we run Puppet again, we can see that the directories are created and the filesystem is mounted:

[root@lvm ~]# puppet agent -t
…
Info: Applying configuration version '1443524661'
Notice: /Stage[main]/Lvm_web/File[/var/www/html]/ensure: created
Notice: /Stage[main]/Lvm_web/Mount[lvm_web_var_www]/ensure: defined 'ensure' as 'mounted'
Info: /Stage[main]/Lvm_web/Mount[lvm_web_var_www]: Scheduling refresh of Mount[lvm_web_var_www]
Info: Mount[lvm_web_var_www](provider=parsed): Remounting
Notice: /Stage[main]/Lvm_web/Mount[lvm_web_var_www]: Triggered 'refresh' from 1 events
Info: /Stage[main]/Lvm_web/Mount[lvm_web_var_www]: Scheduling refresh of Mount[lvm_web_var_www]
Notice: Finished catalog run in 1.53 seconds

Now when we run lsblk, we see the filesystem is mounted, as shown in the following screenshot:

This module can save you a lot of time. The steps required to set up a new volume group, add a logical volume, format the filesystem correctly, and then mount the filesystem can all be reduced to including a single class on a node.

The standard library (stdlib) is a collection of useful facts, functions, types, and providers not included with the base language. Even if you do not use the items within stdlib directly, reading about how they are defined is useful to figure out how to write your own modules.

Several functions are provided by stdlib; these can be found at https://forge.puppetlabs.com/puppetlabs/stdlib. Also, several string-handling functions are provided by it, such as capitalize, chomp, and strip. There are functions for array manipulation and some arithmetic operations such as absolute value (abs) and minimum (min). When you start building complex modules, the functions provided by stdlib can occasionally reduce your code complexity.

Many parts of stdlib have been merged into Facter and Puppet. One useful capability originally provided by stdlib is the ability to define custom facts based on text files or scripts on the node. This allows processes that run on nodes to supply facts to Puppet to alter the behavior of the agent. To enable this feature, we have to create a directory called /etc/facter/facts.d (Puppet enterprise uses /etc/puppetlabs/facter/facts.d), as shown here:

[root@client ~]# facter -p myfact

[root@client ~]# mkdir -p /etc/facter/facts.d
[root@client ~]# echo "myfact=myvalue" >/etc/facter/facts.d/myfact.txt
[root@client ~]# facter -p myfact
myvalue

The facter_dot_d mechanism can use text files, YAML, or JSON files based on the extension, .txt, .yaml or .json. If you create an executable file, then it will be executed and the results parsed for fact values as though you had a .txt file (fact = value).

To illustrate the usefulness, we will create a fact that returns the gems installed on the system. I'll run this on a host with a few gems to illustrate the point. Place the following script in /etc/facter/facts.d/gems.sh and make it executable (chmod +x gems.sh):

#!/bin/bash

gems=$(/usr/bin/gem list --no-versions | /bin/grep -v "^$" | /usr/bin/paste -sd ",")
echo "gems=$gems"

Now make the script executable (chmod 755 /etc/facter/facts.d/gem.sh) and run Facter to see the output from the fact:

[root@client ~]# facter -p gems
bigdecimal,commander,highline,io-console,json,json_pure,psych,puppet-lint,rdoc

We can now use these gems fact in our manifests to ensure that the gems we require are available. Another use of this fact mechanism could be to obtain the version of an installed application that doesn't use normal package-management methods. We can create a script that queries the application for its installed version and returns this as a fact. We will cover this in more detail when we build our own custom facts in a later chapter.

Transferring files with Puppet is something that is best done within modules. When you define a file resource, you can either use content => "something" or you can push a file from the Puppet master using source. For example, using our judy database, we can have judy::config with the following file definition:

class judy::config {
  file {'/etc/judy/judy.conf':
    source => 'puppet:///modules/judy/judy.conf'
  }
}

Now, Puppet will search for this file in the [modulepath]/judy/files directory. It is also possible to add full paths and have your module mimic the filesystem. Hence, the previous source line will be changed to source => 'puppet:///modules/judy/etc/judy/judy.conf', and the file will be found at [modulepath]/judy/files/etc/judy/judy.conf.

The puppet:/// URI source line mentioned earlier has three backslashes; optionally, the name of a puppetserver may appear between the second and third backslash. If this field is left blank, the puppetserver that performs the catalog compilation will be used to retrieve the file. You can alternatively specify the server using source => 'puppet://puppetfile.example.com/modules/judy/judy.conf'.

Templates are searched in a similar fashion. In this example, to specify the template in judy/templates, you will use content =>template('judy/template.erb') to have Puppet look for the template in your modules' templates directory. For example, another config file for judy can be defined, as follows:

file {'/etc/judy/judyadm.conf':
  content => template('judy/judyadm.conf.erb')
}

Puppet will look for the 'judy/judyadm.conf.erb' file at [modulepath]/judy/templates/judyadm.conf.erb. We haven't covered the Embedded Ruby (ERB) templates up to this point; templates are files that are parsed according to the ERB syntax rules. If you need to distribute a file where you need to change some settings based on variables, then a template can help. The ERB syntax is covered in detail at http://docs.puppetlabs.com/guides/templating.html. Puppet 4 (and Puppet 3 with the future parser enabled) supports EPP templates as well. EPP templates are Embedded Puppet templates that use Puppet language syntax rather than Ruby.

Modules can also include custom facts, as we've already seen in this chapter. Using the lib subdirectory, it is possible to modify both Facter and Puppet. In the next section, we will discuss module implementations in a large organization before writing custom modules.

Modules must begin with a lowercase letter and only contain lowercase letters, numbers, and the underscore (_) symbol. No other characters should be used. While writing modules that will be shared across the organization, use names that are obvious and won't interfere with other groups' modules or modules from the Forge. A good rule of thumb is to insert your corporation's name at the beginning of the module name and, possibly, your group name.

While designing modules, each module should have a specific purpose and not pull in manifests from other modules and each one of them should be autonomous. Classes should be used within the module to organize functionality. For instance, a module named example_foo installs a package and configures a service. Now, separating these two functions and their supporting resources into two classes, example_foo::pkg and example_foo::svc, will make it easier to find the code you need to work on, when you need to modify these different components. In addition, when you have all the service accounts and groups in another file, it makes it easier to find them, as well.

To start with a simple example, we will use Puppet's module command to generate empty module files with comments. The module name will be example_phpmyadmin, and the generate command expects the generated argument to be [our username]-[module name]; thus, using our sample developer, samdev, the argument will be samdev-example_phpmyadmin, as shown here:

[samdev@stand ~]$ cd control/dist/
[samdev@standdist]$ puppet module generate samdev-example_phpmyadmin
We need to create a metadata.json file for this module.  Please answer the
following questions; if the question is not applicable to this module, feel free
to leave it blank.

Puppet uses Semantic Versioning (semver.org) to version modules.
What version is this module?  [0.1.0]
--> 0.0.1

Who wrote this module?  [samdev]
-->

What license does this module code fall under?  [Apache-2.0]
-->

How would you describe this module in a single sentence?
--> An Example Module to install PHPMyAdmin

Where is this module's source code repository?
--> https://github.com/uphillian

Where can others go to learn more about this module?  [https://github.com/uphillian]
-->

Where can others go to file issues about this module?  [https://github.com/uphillian/issues]
-->

----------------------------------------
{
  "name": "samdev-example_phpmyadmin",
"version": "0.0.1",
  "author": "samdev",
  "summary": "An Example Module to install PHPMyAdmin",
  "license": "Apache-2.0",
  "source": "https://github.com/uphillian",
  "project_page": "https://github.com/uphillian",
  "issues_url": "https://github.com/uphillian/issues",
  "dependencies": [
    {"name":"puppetlabs-stdlib","version_requirement":">= 1.0.0"}
  ]
}
----------------------------------------

About to generate this metadata; continue? [n/Y]
-->y

Notice: Generating module at /home/samdev/control/dist/example_phpmyadmin...
Notice: Populating templates...
Finished; module generated in example_phpmyadmin.
example_phpmyadmin/manifests
example_phpmyadmin/manifests/init.pp
example_phpmyadmin/spec
example_phpmyadmin/spec/classes
example_phpmyadmin/spec/classes/init_spec.rb
example_phpmyadmin/spec/spec_helper.rb
example_phpmyadmin/tests
example_phpmyadmin/tests/init.pp
example_phpmyadmin/Gemfile
example_phpmyadmin/Rakefile
example_phpmyadmin/README.md
example_phpmyadmin/metadata.json

class example_phpmyadmin {
  include example_phpmyadmin::pkg
  include example_phpmyadmin::svc
}

class example_phpmyadmin::pkg {
  package {'httpd':
    ensure => 'installed',
    alias  => 'apache'
  }
}

class example_phpmyadmin::svc {
  service {'httpd':
    ensure => 'running',
    enable => true
  }
}

[samdev@standdist]$ puppet module generate samdev-example_phpldapadmin
We need to create a metadata.json file for this module.  Please answer the
following questions; if the question is not applicable to this module, feel free
to leave it blank.
…
Notice: Generating module at /home/samdev/control/dist/example_phpldapadmin...
Notice: Populating templates...
Finished; module generated in example_phpldapadmin.
example_phpldapadmin/manifests
example_phpldapadmin/manifests/init.pp
example_phpldapadmin/spec
example_phpldapadmin/spec/classes
example_phpldapadmin/spec/classes/init_spec.rb
example_phpldapadmin/spec/spec_helper.rb
example_phpldapadmin/tests
example_phpldapadmin/tests/init.pp
example_phpldapadmin/Gemfile
example_phpldapadmin/Rakefile
example_phpldapadmin/README.md
example_phpldapadmin/metadata.json

class example_phpldapadmin {
  include example_phpldapadmin::pkg
  include example_phpldapadmin::svc
}

class example_phpldapadmin::pkg {
  package {'httpd':
    ensure => 'installed',
    alias  => 'apache'
  }
}

class example_phpldapadmin::svc {
  service {'httpd':
    ensure => 'running',
    enable => true
  }
}

[root@client ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Package[httpd] is already declared in file /etc/puppetlabs/code/environments/production/dist/example_phpmyadmin/manifests/pkg.pp:2; cannot redeclare at /etc/puppetlabs/code/environments/production/dist/example_phpldapadmin/manifests/pkg.pp:2 at /etc/puppetlabs/code/environments/production/dist/example_phpldapadmin/manifests/pkg.pp:2:3 on node client.example.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

A resource in Puppet can only be defined once per node. What this means is that if our module defines the httpd package, no other module can define httpd. There are several ways to deal with this problem and we will work through two different solutions.

The first solution is the more difficult option—use virtual resources to define the package and then realize the package in each place you need. Virtual resources are similar to a placeholder for a resource; you define the resource but you don't use it. This means that Puppet master knows about the Puppet definition when you virtualize it, but it doesn't include the resource in the catalog at that point. Resources are included when you realize them later; the idea being that you can virtualize the resources multiple times and not have them interfere with each other. Working through our example, we will use the @ (at) symbol to virtualize our package and service resources. To use this model, it's helpful to create a container for the resources you are going to virtualize. In this case, we'll make modules for example_packages and example_services using Puppet module's generate command again.

The init.pp file for example_packages will contain the following:

class example_packages {
  @package {'httpd':
    ensure => 'installed',
    alias  => 'apache',
  }
}

The init.pp file for example_services will contain the following:

class example_services {
  @service {'httpd':
    ensure  =>'running',
    enable  => true,
    require => Package['httpd'],
  }
}

These two classes define the package and service for httpd as virtual. We then need to include these classes in our example_phpmyadmin and example_phpldapadmin classes. The modified example_phpmyadmin::pkg class will now be, as follows:

class example_phpmyadmin::pkg {
  include example_packages
  realize(Package['httpd'])
}

And the example_phpmyadmin::svc class will now be the following:

class example_phpmyadmin::svc {
  include example_services
  realize(Service['httpd'])
}

We will modify the example_phpldapadmin class in the same way and then attempt another Puppet run on client (which still has example_phpldapadmin and example_phpmyadmin classes), as shown here:

[root@client ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for client.example.com
Info: Applying configuration version '1443928369'
Notice: /Stage[main]/Example_packages/Package[httpd]/ensure: created
Notice: /Stage[main]/Example_services/Service[httpd]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Example_services/Service[httpd]: Unscheduling refresh on Service[httpd]
Notice: Applied catalog in 11.17 seconds

For this solution to work, you need to migrate the resources that may be used by multiple modules to your top-level resource module and include the resource module wherever you need to realize the resource.

In addition to the realize function, used previously, a collector exists for virtual resources. A collector is a kind of glob that can be applied to virtual resources to realize resources based on a tag. A tag in Puppet is just a meta attribute of a resource that can be used for searching later. Tags are only used by collectors (for both virtual and exported resources, the exported resources will be explored in a later chapter) and they do not affect the resource.

To use a collector in the previous example, we will have to define a tag in the virtual resources, for the httpd package this will be, as follows:

class example_packages {
  @package {'httpd':
    ensure => 'installed',
    alias  => 'apache',
    tag    => 'apache',
  }
}

And then to realize the package using the collector, we will use the following code:

class example_phpldapadmin::pkg {
  include example_packages
  Package <| tag == 'apache' |>
}

The second solution will be to move the resource definitions into their own class and include that class whenever you need to realize the resource. This is considered to be a more appropriate way of solving the problem. Using the virtual resources described previously splits the definition of the package away from its use area.

For the previous example, instead of a class for all package resources, we will create one specifically for Apache and include that wherever we need to use Apache. We'll create the example_apache module monolithically with a single class for the package and the service, as shown in the following code:

class example_apache {
  package {'httpd':
    ensure => 'installed',
    alias  => 'apache'
  }
  service {'httpd':
    ensure  => 'running',
    enable  => true,
    require=> Package['httpd'],
  }
}

Now, in example_phpldapadmin::pkg and example_phpldapadmin::svc, we only need to include example_apache. This is because we can include a class any number of times in a catalog compilation without error. So, both our example_phpldapadmin::pkg and example_phpldapadmin::svc classes are going to receive definitions for the package and service of httpd; however, this doesn't matter, as they only get included once in the catalog, as shown in the following code:

class example_phpldapadmin::pkg {
  include example_apache
}

Both these methods solve the issue of using a resource in multiple packages. The rule is that a resource can only be defined once per catalog, but you should think of that rule as once per organization so that your modules won't interfere with those of another group within your organization.

We will be creating some custom facts; therefore, we will create our Ruby files in the module_name/lib/facter directory. While designing your facts, choose names that are specific to your organization. Unless you plan on releasing your modules on the Forge, avoid calling your fact something similar to a predefined fact or using a name that another developer might use. The names should be meaningful and specific—a fact named foo is probably not a good idea. Facts should be placed in the specific module that requires them. Keeping the fact name related to the module name will make it easier to determine where the fact is being set later.

For our example.com organization, we'll create a module named example_facts and place our first fact in there. As the first example, we'll create a fact that returns 1 (true) if the node is running the latest installed kernel or 0 (false) if not. As we don't expect this fact to become widely adopted, we'll call it example_latestkernel. The idea here is that we can apply modules to nodes that are not running the latest installed kernel, such as locking them down or logging them more closely.

To begin writing the fact, we'll start writing a Ruby script; you can also work in IRB while you're developing your fact. Interactive Ruby (IRB) is like a shell to write the Ruby code, where you can test your code instantly. Version 4 of Puppet installs its own Ruby, so our fact will need to use the Ruby installed by Puppet (/opt/puppetlabs/puppet/bin/ruby). Our fact will use a function from Puppet, so we will require puppet and facter. The fact scripts are run from within Facter so that the require lines are removed once we are done with our development work. The script is written, as follows:

#!/opt/puppetlabs/puppet/bin/ruby
require 'puppet'
require 'facter'
# drop alpha numeric endings
def sanitize_version (version)
temp = version.gsub(/.(el5|el6|el7|fc19|fc20)/,'')
return temp.gsub(/.(x86_64|i686|i586|i386)/,'')
end

We define a function to remove textual endings on kernel versions and architectures. Textual endings, such as el5 and el6 will make our version comparison return incorrect results. For example, 2.6.32-431.3.1.el6 is less than 2.6.32-431.el6 because the e in el6 is higher in ASCII than 3. Our script will get simplified greatly, if we simply remove known endings. We then obtain a list of installed kernel packages; the easiest way to do so is with rpm, as shown here:

kernels = %x( rpm -q kernel --qf '%{version}-%{release}\n' )
kernels = sanitize_version(kernels)
latest = ''

We will then set the latest variable to empty and we'll loop through the installed kernels by comparing them to latest. If their values are greater than latest, then we convert latest such that it is equal to the value of the kernels. At the end of the loop, we will have the latest (largest version number) kernel in the variable. For kernel in kernels, we will use the following commands:

for kernel in kernels.split('\n')
  kernel=kernel.chomp()
  if latest == ''
    latest = kernel
  end
  if Puppet::Util::Package.versioncmp(kernel,latest) > 0
    latest = kernel
  end
end

We use versioncmp from puppet::util::package to compare the versions. I've included a debugging statement in the following code that we will remove later. At the end of this loop, the latest variable contains the largest version number and the latest installed kernel:

kernelrelease = Facter.value('kernelrelease')
kernelrelease = sanitize_version(kernelrelease)

Now, we will ask Facter for the value of kernelrelease. We don't need to run uname or a similar tool, as we'll rely on Facter to get the value using the Facter.value('kernelrelease') command. Here, Facter.value() returns the value of a known fact. We will also run the result of Facter.value() through our sanitize_version function to remove textual endings. We will then compare the value of kernelrelease with latest and update the kernellatest variable accordingly:

if Puppet::Util::Package.versioncmp(kernelrelease,latest) == 0
  kernellatest = 1
else
  kernellatest = 0
end

At this point, kernellatest will contain the value 1 if the system is running the installed kernel with latest and 0 if not. We will then print some debugging information to confirm whether our script is doing the right thing, as shown here:

print "running kernel = %s\n" % kernelrelease
print "latest installed kernel = %s\n" % latest
print "kernellatest = %s\n" % kernellatest

We'll now run the script on node1 and compare the results with the output of rpm -q kernel to check whether our fact is calculating the correct value:

[samdev@standfacter]$ rpm -q kernel
kernel-3.10.0-229.11.1.el7.x86_64
kernel-3.10.0-229.14.1.el7.x86_64
[samdev@standfacter]$ ./latestkernel.rb
3.10.0-229.11.1.el7
3.10.0-229.14.1.el7
running kernel = 3.10.0-229.11.1.el7
latest installed kernel = 3.10.0-229.11.1.el7
3.10.0-229.14.1.el7
kernellatest = 0

Now that we've verified that our fact is doing the right thing, we need to call Facter.add() to add a fact to Facter. The reason behind this will become clear in a moment, but we will place all our code within the Facter.add section, as shown in the following code:

Facter.add("example_latestkernel") do
  kernels = %x( rpm -q kernel --qf '%{version}-%{release}\n' )
  ... 
end
Facter.add("example_latestkernelinstalled") do
  setcode do latest end
end

This will add two new facts to Facter. We now need to go back and remove our require lines and print statements. The complete fact should look similar to the following script:

# drop alpha numeric endings
def sanitize_version (version)
  temp = version.gsub(/.(el5|el6|el7|fc19|fc20)/,'')
  return temp.gsub(/.(x86_64|i686|i586|i386)/,'')
end
Facter.add("example_latestkernel") do
  kernels = %x( rpm -q kernel --qf '%{version}-%{release}\n' )
  kernels = sanitize_version(kernels)
  latest = ''
  for kernel in kernels do
    kernel=kernel.chomp()
    if latest == '' 
      latest = kernel
    end
    if Puppet::Util::Package.versioncmp(kernel,latest) > 0
      latest = kernel
    end
  end
kernelrelease = Facter.value('kernelrelease')
kernelrelease = sanitize_version(kernelrelease)
  if Puppet::Util::Package.versioncmp(kernelrelease,latest) == 0
    kernellatest = 1
  else
    kernellatest = 0
  end
  setcode do kernellatest end
  Facter.add("example_latestkernelinstalled") do
    setcode do latest end
  end
end

Now, we need to create a module of our Git repository on stand and have that checked out by client to see the fact in action. Switch back to the samdev account to add the fact to Git as follows:

[Thomas@stand ~]$ sudo –iu samdev
[samdev@stand]$ cd control/dist
[samdev@stand]$ mkdir -p example_facts/lib/facter
[samdev@stand]$ cd example_facts/lib/facter
[samdev@stand]$ cp ~/latestkernel.rbexample_latestkernel.rb
[samdev@stand]$ git add example_latestkernel.rb
[samdev@stand]$ git commit -m "adding first fact to example_facts"
[masterd42bc22] adding first fact to example_facts
 1 files changed, 33 insertions(+), 0 deletions(-)
create mode 100755 dist/example_facts/lib/facter/example_latestkernel.rb
[samdev@stand]$ git push origin
…
To /var/lib/git/control.git/
fc4f2e5..55305d8  production -> production

Now, we will go back to client, run Puppet agent, and see that example_latestkernel.rb is placed in /opt/puppetlabs/puppet/cache/lib/facter/example_latestkernel.rb so that Facter can now use the new fact.

This fact will be in the /dist folder of the environment. In the previous chapter, we added /etc/puppet/environments/$environment/dist to modulepath in puppet.conf; if you haven't done this already, do so now:

[root@client ~]# puppet agent -t
…
Notice: /File[/opt/puppetlabs/puppet/cache/lib/facter/example_latestkernel.rb]/ensure: defined content as '{md5}579a2f06068d4a9f40d1dadcd2159527'…
Notice: Finished catalog run in 1.18 seconds
[root@client ~]# facter -p |grep ^example
example_latestkernel => 1
example_latestkernelinstalled => 3.10.0-123

Now, this fact works fine for systems that use rpm for package management; it will not work on an apt system. To ensure that our fact doesn't fail on these systems, we can use a confine statement to confine the fact calculation to systems where it will succeed. We can assume that our script will work on all systems that report RedHat for the osfamily fact, so we will confine ourselves to that fact.

For instance, if we run Puppet on a Debian-based node to apply our custom fact, it fails when we run Facter, as shown here:

# cat /etc/debian_version
wheezy/sid
# facter -p example_latestkernelinstalled
sh: 1: rpm: not found
Could not retrieve example_latestkernelinstalled: undefined local variable or method `latest' for #<Facter::Util::Resolution:0xb6bd386c>

Now, if we add a confine statement to confine the fact to nodes in which osfamily is RedHat, it doesn't happen, as shown here:

Facter.add("example_latestkernel") do
  confine :osfamily => 'RedHat'
  …
end
Facter.add("example_latestkernelinstalled") do
  confine :osfamily => 'RedHat'
  setcode do latest end
end

When we run Facter on the Debian node again, we will see that the fact is simply not defined, as shown here:

# facter -p example_latestkernelinstalled
##

This simple example creates two facts that can be used in modules. Based on this fact you can, for instance, add a warning to motd to say that the node needs to reboot.

While implementing a custom fact such as this, every effort should be made to ensure that the fact doesn't break Facter compilation on any OSes within your organization. Using confine statements is one way to ensure your facts stay where you designed them.

So, why not just use the external fact (/etc/facter/facts.d) mechanism all the time? We could have easily written the previous fact script in bash and put the executable script in /etc/facter/facts.d. Indeed, there is no problem in doing it that way. The problem with using the external fact mechanism is timing and precedence. The fact files placed in lib/facter are synced to nodes when pluginsync is set to true, so the custom fact is available for use during the initial catalog compilation. If you use the external fact mechanism, you have to send your script or text file to the node during the agent run so that the fact isn't available until after the file has been placed there (after the first run, any logic built around that fact will be broken until the next Puppet run). The second problem is preference. External facts are given a very high weight by default. Weight in the Facter world is used to determine when a fact is calculated and facts with low weight are calculated first and cannot be overridden by facts with higher weight.

One great use case for external facts is having a system task (something that runs out of cron perhaps) that generates the text file in /etc/facter/facts.d. Initial runs of Puppet agent won't see the fact until after cron runs the script, so you can use this to trigger further configuration by having your manifests key off the new fact. As a concrete example, you can have your node installed as a web server for a load-balancing cluster as a part of the modules that run a script from cron to ensure that your web server is up and functioning and ready to take a part of the load. The cron script will then define a load_balancer_ready=true fact. It will then be possible to have the next Puppet agent run and add the node to the load balancer configuration.

The most useful custom facts are those that return a calculated value that you can use to organize your nodes. Such facts allow you to group your nodes into smaller groups or create groups with similar functionality or locality. These facts allow you to separate the data component of your modules from the logic or code components. This is a common theme that will be addressed again in Chapter 9, Roles and Profiles. This can be used in your hiera.yaml file to add a level to the hierarchy. One aspect of the system that can be used to determine information about the node is the IP address. Assuming that you do not reuse the IP addresses within your organization, the IP address can be used to determine where or in which part a node resides on a network, specifically, the zone. In this example, we will define three zones in which the machines reside: production, development, and sandbox. The IP addresses in each zone are on different subnets. We'll start by building a script to calculate the zone and then turn it into a fact similar to our last example. Our script will need to calculate IP ranges using netmasks, so we'll import the ipaddr library and use the IPAddr objects to calculate ranges:

require('ipaddr')
require('facter')
require('puppet')

Next, we'll define a function that takes an IP address as the argument and returns the zone to which that IP address belongs:

def zone(ip)
zones = {
    'production' => [IPAddr.new('10.0.2.0/24'),IPAddr.new('192.168.124.0/23')],
    'development' => [IPAddr.new('192.168.123.0/24'),IPAddr.new('192.168.126.0/23')],
    'sandbox' => [IPAddr.new('192.168.128.0/22')]
}
  for zone in zones.keys do
    for subnet in zones[zone] do
      ifsubnet.include?(ip)
        return zone
      end
    end
  end
  return 'undef'
end

This function will loop through the zones looking for a match on the IP address. If no match is found, the value of undef is returned. We then obtain an IP address for the machine that is using the IP address fact from Facter:

ip = IPAddr.new(Facter.value('ipaddress'))

Then, we will call the zone function with this IP address to obtain the zone:

print zone(ip),"\n"

Now, we can make this script executable and test it:

[root@client ~]# facter ipaddress
10.0.2.15
[root@client ~]# ./example_zone.rb
production

Now, all we have to do is replace print zone(ip),"\n" with the following code to define the fact:

Facter.add('example_zone') do
  setcode do zone(ip) end
end

Now, when we insert this code into our example_facts module and run Puppet on our nodes, the custom fact is available:

[root@client ~]# facter -p example_zone
production

Now that we can define a zone based on a custom fact, we can go back to our hiera.yaml file and add %{::example_zone} to the hierarchy. The hiera.yaml hierarchy will now contain the following:

---
:hierarchy:
  - "zones/%{::example_zone}"
  - "hosts/%{::hostname}"
  - "roles/%{::role}"
  - "%{::kernel}/%{::osfamily}/%{::lsbmajdistrelease}"
  - "is_virtual/%{::is_virtual}"
  - common

After restarting puppetserver to have the hiera.yaml file reread, we create a zones directory in hieradata and add production.yaml with the following content:

---
welcome: "example_zone - production"

Now when we run Puppet on our node1, we will see motd updated with the new welcome message, as follows:

[root@client ~]# cat /etc/motd
example_zone - production
Managed Node: client
Managed by Puppet version 4.2.2

Creating a few key facts that can be used to build up your hierarchy can greatly reduce the complexity of your modules. There are several workflows available, in addition to the custom fact we described earlier. You can use the /etc/facter/facts.d (or /etc/puppetlabs/facter/facts.d) directory with static files or scripts, or you can have tasks run from other tools that dump files into that directory to create custom facts.

While writing Ruby scripts, you can use any other fact by calling Facter.value('factname'). If you write your script in Ruby, you can access any Ruby library using require. Your custom fact can query the system using lspci or lsusb to determine which hardware is specifically installed on that node. As an example, you can use lspci to determine the make and model of graphics card on the machine and return that as a fact, such as videocard.

The preceding example's parameterized class does not take advantage of the new Puppet language features in version 4. Version 4 of the Puppet language supports explicit data types. Data types in previous versions had to be determined by comparing items and often hoping for the best. This led to some bad practices, such as using the string value true to represent the Boolean value True. Using the version 4 syntax, we can change the preceding class to require the $db parameter to be a string, as shown:

class example::db (String $db) {
  case $db {
    'mysql': {
      $dbpackage = 'mysql-server'
      $dbservice = 'mysqld'
    }
    'postgresql': {
      $dbpackage = 'postgresql-server'
      $dbservice = 'postgresql'
    }
  }
  package { "$dbpackage": }
  service { "$dbservice":
    ensure  => true,
    enable => true,
    require => Package["$dbpackage"]
  }
}

The ability to know the type of a parameter has been a long-standing bug with Puppet, particularly when dealing with Boolean values. For more information on the data types supported by Puppet 4, refer to the documentation page at https://docs.puppetlabs.com/puppet/latest/reference/lang_data_type.html.

As an example, we will create a gem type for managing Ruby gems installed for a user. Ruby gems are packages for Ruby that are installed on the system and can be queried like packages.

Creating a custom type requires some knowledge of Ruby. In this example, we assume the reader is fairly literate in Ruby. We start by defining our type in the lib/puppet/type directory of our module. We'll do this in our example module, modules/example/lib/puppet/type/gem.rb.

The file will contain the newtype method and a single property for our type, version, as shown in the following code:

Puppet::Type.newtype(:gem) do
  ensurable
  newparam(:name, :namevar => true) do
    desc 'The name of the gem'
  end
  newproperty(:version) do
    desc 'version of the gem'
    validate do |value|
      fail("Invalid gem version #{value}") unless value =~ /^[0-9]+[0-9A-Za-z\.-]+$/
    end
  end
end

The ensurable keyword creates the ensure property for our new type, allowing the type to be either present or absent. The only thing we require of the version is that it starts with a number and only contain numbers, letters, periods, or dashes.

Now we need to start making our provider. The name of the provider is the name of the command used to manipulate the type. For packages, the providers have names such as yum, apt, and dpkg. In our case we'll be using the gem command to manage gems, which makes our path seem a little redundant. Our provider will live at modules/example/lib/puppet/provider/gem/gem.rb.

We'll start our provider with a description of the provider and the commands it will use are, as shown here:

Puppet::Type.type(:gem).provide :gem do
desc "Manages gems using gem"

Then we'll define a method to list all the gems installed on the system as shown here, which defines the self.instances method:

def self.instances
  gems = []
  command = 'gem list -l'
  begin
    stdin, stdout, stderr = Open3.popen3(command)
    for line in stdout.readlines
        (name,version) = line.split(' ')
      gem = {}
      gem[:provider] = self.name
      gem[:name] = name
      gem[:ensure] = :present
      gem[:version] = version.tr('()','')
      gems<< new(gem)
    end
  rescue
    raise Puppet::Error, "Failed to list gems using '#{command}'"
  end
  gems
end

This method runs gem list -l and then parses the output, looking for lines such as gemname (version). The output from the gem command is written to the variable stdout. We then use readlines on stdout to create an array that we iterate over with a for loop. Within the for loop we split the lines of output based on a space character into the gem name and version. The version will be wrapped in parentheses at this point; we use the tr (translate) method to remove the parentheses. We create a local hash of these values and then append the hash to the gems hash. The gems hash is returned and then Puppet knows all about the gems installed on the system.

Puppet needs two more methods at this point, a method to determine if a gem exists (is installed), and, if it does exist, one to tell us which version is installed. We already populated the ensure parameter, so as to use that to define our exists method as follows:

def exists?
    @property_hash[:ensure] == :present
end

To determine the version of an installed gem, we can use the property_hash variable, as follows:

def version
    @property_hash[:version] || :absent
end

To test this, add the module to a node and pluginsync the module over to the node, as shown:

[root@client ~]# puppet plugin download
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/gem]/ensure: created
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/gem/gem.rb]/ensure: defined content as '{md5}4379c3d0bd6c696fc9f9593a984926d3'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/provider/gem/gem.rb.orig]/ensure: defined content as '{md5}c6024c240262f4097c0361ca53c7bab0'
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/gem.rb]/ensure: defined content as '{md5}48749efcd33ce06b401d5c008d10166c'
Downloaded these plugins: /opt/puppetlabs/puppet/cache/lib/puppet/provider/gem, /opt/puppetlabs/puppet/cache/lib/puppet/provider/gem/gem.rb, /opt/puppetlabs/puppet/cache/lib/puppet/provider/gem/gem.rb.orig, /opt/puppetlabs/puppet/cache/lib/puppet/type/gem.rb

This will install our type/gem.rb and provider/gem/gem.rb files into /opt/puppetlabs/puppet/cache/lib/puppet on the node. After that, we are free to run puppet resource on our new type to list the available gems, as shown:

[root@client ~]# puppet resource gem
gem { 'bigdecimal':
  ensure  => 'present',
  version => '1.2.0',
}
gem { 'bropages':
  ensure  => 'present',
  version => '0.1.0',
}
gem{ 'commander':
  ensure  => 'present',
  version => '4.1.5',
}
gem { 'highline':
  ensure  => 'present',
  version => '1.6.20',
}
…

Now, if we want to manage gems, we'll need to create and destroy them, and we'll need to provide methods for those operations. If we try at this point, Puppet will fail, as we can see from the following output:

[root@client ~]# puppet resource gem bropages
gem { 'bropages':
  ensure  => 'present',
  version => '0.1.0',
}
[root@client ~]# puppet resource gem bropages ensure=absent
gem { 'bropages':
  ensure => 'absent',
}
[root@client ~]# puppet resource gem bropages ensure=absent
gem { 'bropages':
  ensure => 'absent',
}

When we run puppet resource, there is no destroy method, so Puppet returns that the gem was removed but doesn't actually do anything. To get Puppet to actually remove the gem, we'll need a method to destroy (remove) gems; gem uninstall should do the trick, as shown in the following code:

def destroy
  g = @resource[:version] ? [@resource[:name], '--version', @resource[:version]] : @resource[:name]
  command = "gem uninstall #{g} -q -x"
  begin
    system command
  rescue
    raise Puppet::Error, "Failed to remove #{@resource[:name]} '#{command}'"
  end
  @property_hash.clear
end

Using the ternary operator, we either run gem uninstall name -q -x if no version is defined, or gem uninstall name --version version -q -x if a version is defined. We finish by calling @property_hash.clear to remove the gem from the property_hash since the gem is now removed.

Now we need to let Puppet know about the state of the bropages gem using the instances method we defined earlier; we'll need to write a new method to prefetch all the available gems. This is done with self.prefetch, as shown here:

def self.prefetch(resources)
  gems = instances
  resources.keys.each do |name|
    if provider = gems.find{ |gem| gem.name == name }
      resources[name].provider = provider
    end
  end
end

We can see this in action using puppet resource as shown here:

[root@client ~]# puppet resource gem bropages ensure=absent
Removing bro
Successfully uninstalled bropages-0.1.0
Notice: /Gem[bropages]/ensure: removed
gem { 'bropages':
  ensure => 'absent',
}

Almost there! Now we want to add bropages back, we'll need a create method, as shown here:

def create
  g = @resource[:version] ? [@resource[:name], '--version', @resource[:version]] : @resource[:name]
  command = "gem install #{g} -q"
  begin
    system command
      @property_hash[:ensure] = :present
  rescue
    raise Puppet::Error, "Failed to install #{@resource[:name]} '#{command}'"
  end
end

Now, when we run puppet resource to create the gem, we see the installation, as shown here:

[root@client ~]# puppet resource gem bropages ensure=present
Successfully installed bropages-0.1.0
Parsing documentation for bropages-0.1.0
Installing ri documentation for bropages-0.1.0
1 gem installed
Notice: /Gem[bropages]/ensure: created
gem { 'bropages':
  ensure => 'present',
}

Nearly done! Now, we need to handle versions. If we want to install a specific version of the gem, we'll need to define methods to deal with versions.

def version=(value)
  command = "gem install #{@resource[:name]} --version  #{@resource[:version]}"
  begin
    system command
      @property_hash[:version] = value
  rescue
    raise Puppet::Error, "Failed to install gem #{resource[:name]} using #{command}" 
  end
end

Now, we can tell Puppet to install a specific version of the gem and have the correct results as shown in the following output:

[root@client ~]# puppet resource gem bropages version='0.0.9'
Fetching: highline-1.7.8.gem (100%)
Successfully installed highline-1.7.8
Fetching: bropages-0.0.9.gem (100%)
Successfully installed bropages-0.0.9
Parsing documentation for highline-1.7.8
Installing ri documentation for highline-1.7.8
Parsing documentation for bropages-0.0.9
Installing ri documentation for bropages-0.0.9
2 gems installed
Notice: /Gem[bropages]/version: version changed '0.1.0' to '0.0.9'
gem { 'bropages':
  ensure  => 'present',
  version => '0.0.9',
}

This is where our choice of gem as an example breaks down as gem provides for multiple versions of a gem to be installed. Our gem provider, however, works well enough for use at this point. We can specify the gem type in our manifests and have gems installed or removed from the node. This type and provider are only an example; the gem provider for the package type provides the same features in a standard way. When considering creating a new type and provider, search Puppet Forge for existing modules first.