Collaboratively managing the OpenStack project with Puppet

Monty Taylor <mordred@inaugust.com>

Whoami

One of the OpenStack Founders
Core team of OpenStack CI systems
OpenStack Foundation Board
OpenStack Technical Committee
Manager of OpenStack Automation at HP

About this Presentation

Running OpenStack's CI systems
NOT about installing OpenStack
Challenges we've faced doing things in the open
Probably some rants and swearing in violation of something

Design Assumptions

Everything Open
Everything Reusable

Shameless Plug

I'm hiring

OpenStack

Is open source software for building private and public clouds.

http://openstack.org

Projects

nova (compute)
swift (object storge)
glance (image service)
keystone (identity service)
quantum (network service)
horizon (dashboard)
cinder (volume service)
python-novaclient
python-swiftclient
python-glanceclient
python-keystoneclient
python-quantumclient
python-cinderclient
python-openstackclient

Servers

Back in the Day...

nova (compute)
swift (object storge)
jenkins.openstack.org
wiki.openstack.org

Typical First Steps

jenkins.openstack.org had one admin - me
wiki was managed by someone else
Everything installed by hand

Complexity Rises

Soren, Jay, Eric and Thierry get root
Added a couple of build slaves
I get annoyed

Investigation

Chef
Puppet
Manage users and packages

Small Infrastructure

puppet apply ftw
creating users not so much

RANT

WHY IS CREATING USERS SO MUCH WORK???

class user::virtual {
  define localuser ($realname,$sshkeys='',$shell="/bin/bash") {
    group { $title:
      ensure => 'present'
    }

    user { $title:
      ensure  => "present",
      comment => $realname,
      home    => "/home/$title",
      shell   => $shell,
      gid     => $title,
      groups  => ['sudo','admin'],
      membership => 'minimum',
      managehome => true,  # creates the home directory (does not actually manage it)
      require => Group[$title],
    }
    
    file { "${title}_sshdir":
      name => "/home/$title/.ssh",
      owner => $title,
      group => $title,
      mode => 700,
      ensure => 'directory',
      require => User[$title],
    }

RANT

WHY IS CREATING USERS SO MUCH WORK???

    file { "${title}_keys":
      name => "/home/$title/.ssh/authorized_keys",
      owner => $title,
      group => $title,
      mode => 400,
      content => $sshkeys,
      ensure => 'present',
      require => File["${title}_sshdir"],
    }
  }
}

RANT

WHY IS CREATING USERS SO MUCH WORK???

  @user::virtual::localuser { 'mordred':
    realname => 'Monty Taylor',
    sshkeys  => "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyxfIpVCvZyM8BIy7r7WOSIG6Scxq4afean1Pc/bej5ZWHXCu1QnhGbI7rW3sWciEhi375ILejfODl2TkBpfdJe/DL205lLkTxAa+FUqcZ5Ymwe+jBgCH5XayzyhRPFFLn07IfA/BDAjGPqFLvq6dCEHVNJIui6oEW7OUf6a3376YF55r9bw/8Ct00F9N7zrISeSSeZXbNR+dEqcsBEKBqvZGcLtM4jzDzNXw1ITPPMGaoEIIszLpkkJcy8u/13GIrbAwNrB2wjl6Mzj+N9nTsB4rFtxRXp31ZbytCH5G9CL/mFard7yi8NLVEJPZJvAifNVhooxGN06uAiTFE8EsuQ== mtaylor@qualinost\n",
  }

RANT

WHY IS CREATING USERS SO MUCH WORK???

    realize (
      User::Virtual::Localuser['mordred'],
      User::Virtual::Localuser['corvus'],
      User::Virtual::Localuser['soren'],
      User::Virtual::Localuser['linuxjedi'],
      User::Virtual::Localuser['devananda'],
      User::Virtual::Localuser['clarkb'],
    )

Shameless Plug

I'm hiring

First (weird) choice

I hate typing
Launchpad API script to generate a manifest
Launching nodes was so much easier!

Usage Pattern 0

puppet apply by hand at machine create
problem: totally manual operation

Once you have that ...

Jim Blair started ... told me I was crazy
We started making clases and modules

Usage Pattern 1

manifest/modules in public git / gerrit
puppet apply in cron
problem: where does secret stuff go

Secrets Solution 0

Copy secret files to machine by hand, then reference

  file { '/usr/local/jenkins_jobs/jenkins_jobs.ini':
    owner => 'root',
    group => 'root',
    mode => 440,
    ensure => 'present',
    source => 'file:///root/secret-files/jenkins_jobs.ini',
    replace => 'true',
    require => File['/usr/local/jenkins_jobs']
  }

Copying Files

This sucks for all the reasons you'd expect
Defeats reusability
ENTIRE FILE becomes secret

RANT

WHY IS INSTALLING PACKAGES FAIL???

class jenkins_jobs {
    package { 'python-yaml':
        ensure => present;
    }
    ...
}

class zuul {
    package { 'python-yaml':
        ensure => present;
    }
    ...
}

node "jenkins.openstack.org" {
    include zuul
    include jenkins_jobs
}

RANT

WHY IS INSTALLING PACKAGES FAIL???

 # A lot of things need yaml, be conservative requiring this package to avoid
 # conflicts with other modules.
 if ! defined(Package['python-yaml']) {
   package { 'python-yaml':
     ensure => "present",
 }

Perhaps package commands should be fundamental units, and should create an idempotent package installation set. You know, kinda like how apt and yum already work?

Shameless Plug

I'm hiring

And then there were more

Now we have ...

5 or 6 servers
10 static build slaves
Additional dynamic jenkins slaves for every build
So about 200 servers a day managed by puppet
Chatted with wikipedia about sharing work

Usage Pattern 2

classes with secrets parameterized
puppetmaster + heira
git pull on master in cron
start using forge modules
puppet dashboard for monitoring

heira

node 'wiki.openstack.org' {
  class { 'openstack_project::wiki':
    mysql_root_password => hiera('wiki_db_password'),
    sysadmins           => hiera('sysadmins'),
  }  
}

forge modules

Started splitting out our modules for upload
Started using modules from forge

RANT

WHY IS INSTALLING PACKAGES FAIL???

# Array of modules to be installed key:value is module:version.
 declare -A MODULES
 MODULES["openstackci-dashboard"]="0.0.4"
 MODULES["openstackci-vcsrepo"]="0.0.6"
 MODULES["puppetlabs-apache"]="0.0.4"
 MODULES["puppetlabs-apt"]="0.0.4"
 MODULES["puppetlabs-mysql"]="0.5.0"
 MODULES["saz-memcached"]="2.0.2"

for MOD in ${!MODULES[*]} ; do
  # If the module at the current version does not exist upgrade or install it.
  if ! echo $MODULE_LIST | grep "$MOD.*${MODULES[$MOD]}" >dev/null 2>&1
  then
    # Attempt module upgrade. If that fails try installing the module.
    if ! puppet module upgrade $MOD --version ${MODULES[$MOD]} >dev/null 2>&1
    then
      # This will get run in cron, so silence non-error output
      puppet module install $MOD --version ${MODULES[$MOD]} >dev/null
    fi
  fi
done

RANT

WHY IS INSTALLING PACKAGES FAIL???

puppet module install should be idempotent
puppet module install should work in a git dir - OR
source-level clone of a module repo into modules tree should work

Shameless Plug

I'm hiring

dashboard

node 'puppet-dashboard.openstack.org' {
  class { 'openstack_project::dashboard':
    password => hiera('dashboard_password'),
    mysql_password => hiera('dashboard_mysql_password'),
    sysadmins => hiera('sysadmins'),
  }
}

http://puppet-dashboard.openstack.org:3000/
Why does this not support SSL submission by default?
Notice oneiric.slave.openstack.org and precise.slave.openstack.org

build slaves

Hundreds of them, created and destroyed daily
Essentially the same
All share a cert
Dashboard finds this confusing - I don't care

What next?/Usage Pattern 3

Add unittesting to our modules (oops)
More importantly - add real testing to our manifest
- Make manifest that installs all of our modules single server
- Per-commit pre-merge, spin up machine, run manifest, test

Development / Contributing

GitHub: https://github.com/openstack/openstack-ci-puppet
Docs: http://ci.openstack.org/
Freenode: #openstack-infra
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
I'm hiring

Thanks!

These slides available at: https://github.com/openstack-ci/publications