It was time for the small company I worked for to pick new content tools, and we were in a meeting to hear from the project lead.

She gave a great talk, explaining the benefits and tradeoffs of each tool. Her slides had cat pictures. She was funny and self-deprecating. But the Q&A afterward was tense. The underlying note of each comment was, “I don’t mind change as long as it’s happening to anybody else.”

Afterward, we joked about the meeting.

“It’s hard,” she said. “People like their tools, and you’ve got to tell them they might have to change something, and …”

“Nerd rage,” I finished for her.

“Right. Nerd rage.”

Read the rest of this entry »

I’ve always liked the phrase “configuration drift.” It sounds like a wind blew through the racks in the data center just so, gently jumbling that one file down in /opt/etc that’s the last place you look when a service goes down.

Realistically, that drift probably came from human error: a junior admin making a novice mistake, or someone solving a problem with a small but critical change. Either way – mysterious cloud creatures, or everyday people – things change on the systems we maintain, and it can take a lot of time to make them right again.

As a sysadmin, you spend a lot of time trying to get everything just right. You shouldn’t have to spend all your time trying to keep everything just right. With just a little automation, you won’t have to.

Read the rest of this entry »

Just now, VMware announced vCloud Hybrid Service, an infrastructure-as-a-service (IaaS) enterprise public cloud. We’re really excited that, right at launch, Puppet Enterprise is being used for the provisioning, configuration and management of application running on top of vCloud Hybrid Service.

Mathew Lodge, VMware’s VP of Cloud Services, took some time out during launch-day preparations to check in with us at Puppet Labs.

Read the rest of this entry »

In virtual data centers both on-premises and in the cloud, lifecycle management is particularly challenging for administrators due to the dynamic nature and volume of nodes that need to be deployed and managed. Puppet Enterprise can ease a lot of these challenges by allowing  IT teams to automate the deployment and management of their VMware virtual infrastructure.

Read the rest of this entry »

If you’re using virtualization in your data center, you’re familiar with the challenges as well as the benefits: VM sprawl, maintaining consistent configuration, provisioning and tearing down VMs at the speed your business demands. Puppet Enterprise is an exceptional tool for dealing with these challenges. Here are 13 reasons that, if you’re not already using Puppet Enterprise to manage your VMware virtual environment, you should be.

Read the rest of this entry »

We go to a lot of events. No, really, we go to a lot of events, and take it from us, DevOpsDays is one of the very best. It’s a chance to share and learn about making systems that run smoother, faster and more intelligently – and improve our lives, too.

This year, we’re sponsoring DevOpsDays Austin, held April 30 and May 1 at The Marchesa. Both days are filled with sessions you’re sure to find valuable.  A couple of highlights:

May 1, 9:15 AM: Patrick DeBois, organizer of DevOpsDays, will talk about the future of DevOps. Hint of what’s to come in this tweet.

May 1, 9:35 AM: Gene Kim, champion of DevOps and assiduous studier of high-performing IT organizations, offers his perspective on “How Do We Better Sell DevOps?”

Come visit us at our sponsor table, where we’ll have plenty on hand for you. Pick up a copy of our 2013 State of DevOps Report - you’ll find all kinds of interesting facts about how DevOps practices make organizations more efficient. Ask us for a Puppet Enterprise demo. Don one of our famous t-shirts. Or just hang out and chat about all things DevOps and Puppet.

Speaking of Puppet, we’re holding an entire day of Puppet content at PuppetCamp Austin on April 29, right before DevOpsDays. We invite you to register.

Like many things at Puppet Labs, the idea for a Deployment Guide for Puppet Enterprise came from our users. By the time I joined the Puppet Labs docs team, most of the heavy lifting of documenting the features and functions of Puppet Enterprise had already been done by documentation wunderkind, Nick Fagerlund. But we were still hearing from users that they needed something to help them start the job of incorporating Puppet Enterprise into their IT ecosystems. A manual is all fine and good when you have a task you’re trying to complete, they told us, but what if you don’t know what tasks you need to do and when you should do them?

It’s a little bit like when you rent a beach house and the kids immediately find a 1,000 piece puzzle in the closet, but there’s no box to show you what the puzzle looks like when it’s done. With a puzzle, you know what to do next: you dump out all the pieces on the coffee table and start looking for the edges and the corners. To a new user, Puppet Enterprise can be a bit of a puzzle without a box. The manual can tell you the procedures and show you the shape of the pieces, but the Deployment Guide is there to show you what it looks like when it’s all put together by helping you find the edges and the corners.

To create the Guide, I started by brainstorming a rough outline, dividing the project of deployment into logical chunks. But to get that outline filled in, I had to turn to the brain-trust that is our Professional Services and Support departments. I was lucky to have folks with collective decades of experience deploying Puppet Enterprise in all sorts of different enterprises right there in the northern half of our offices. With the assistance of Nigel Kersten, our CTO, I identified subject-matter experts in various aspects of a Puppet Enterprise deployment. And then I started in on the task that defines much of a tech writer’s day: hounding people until they give up their knowledge. After 12 years or so in this game, my nagging skills are — dare I say — fairly advanced since I understand the stick and I understand the carrot. Especially the carrot (in Portland, this is usually beer or coffee, but sometimes an actual carrot; there are lots of vegetarians here). In fairly short order, I had amassed a very large pile of information, tips, tricks and advice.

This led to a new problem: our Professional Service Engineers and Support staff are opinionated people, and now I had a big pile of opinions, not all of which necessarily agreed with one another. How would I choose what to put in the Guide as the best practice? Admittedly, I flailed about on this question for some time. Like any good piece of software, Puppet Enterprise gives you a number of different ways to complete a given task. Add to that the varying skills and knowledge of Puppet Enterprise users, and the incredible variety of enterprises where it gets deployed, and I found myself neck-deep in some pretty murky water.

Read the rest of this entry »

We’re excited to announce the availability of Puppet Enterprise 2.8, which introduces the ability to manage nodes running IBM’s AIX operating system.

We consistently heard from our customers that IBM AIX was a critical part of many IT infrastructures, particularly in finance, retail and manufacturing sectors. When conducting customer research, we found that users of AIX were often using it in mission-critical environments. Puppet Labs is here to back you up with premium, 24/7 support of your puppetized AIX environment, with support for running puppet agents on AIX versions 5.3, 6.1, and 7.1.

Getting Puppet and its dependencies operating on AIX was complex. With our latest version of Puppet Enterprise, you can easily get a Puppet Agent, Facter, and MCollective working on AIX in minutes. Beyond packaging dependencies, we also enhanced several providers for working with AIX. To help you configure AIX nodes, support for AIX package providers, RPM, NIM and BFF, has also been added.

AIX support isn’t the only new feature in Puppet Enterprise 2.8. We also bumped the versions of Puppet (2.7.21), Facter (1.6.17), and Hiera (1.1.2). The updates include bug fixes and performance improvements, which will enable users to experience faster compilation times and enhanced performance. Puppet Enterprise 2.8 also includes all security fixes and updates for Puppet Labs’ products, as well as its dependencies.

Our software is built to be cross-platform, supporting a variety of operating systems, including all Linuxes, Solaris, and Windows. With the addition of IBM AIX support in Puppet Enterprise 2.8, we continue to offer the most comprehensive coverage of enterprise IT platforms, boosting system administrators’ productivity by enabling them to automate the management of heterogeneous IT environments with a single solution.

Learn More

• Download Puppet Enterprise — it’s free for use up to 10 nodes
• Sign up for a Puppet Enterprise live technical webinar & demo
• Check out the Puppet Enterprise 2.8 docs

A few days ago, I left you with Part 1: Top Questions on Puppet and Windows. As I mentioned in that blog post, I received a ton of questions during a Puppet Enterprise and Windows webinar that I recently hosted — so many that I couldn’t get to all of them. In part 1, I answered questions such as: how is Puppet Enterprise different from SCCM, future plans for Windows-capable modules on Puppet Forge, and whether or not the puppet master role can be installed on a Windows machine. Today, I complete the blog series with answers to more questions on Puppet and Windows. Enjoy!

Q: Can Puppet be used to copy contents recursively from one Windows shared folder to another Windows shared folder?

You can do this using a Puppet file type with a local source parameter. Puppet makes no particular distinction between any folder, regardless of whether it is shared (Windows), mounted over NFS (Linux), or on the same disk partition as the OS. The Puppet file type works at the filesystem layer so as long as it’s attached, it can be used.

To recursively ensure that one folder contains the same content as another using Puppet, you can specify a resource such as the following:

file { 'C:/packages':
ensure  => directory,
source  => 'Z:/depot',
recurse => true,
}

Q: Is it possible to install Puppet with the MSI but without starting the service?

To achieve this currently, the MSI file needs to be edited (e.g. using Orca) to change the startup type. A feature request has been filed to expose this option on the command line so that it can be specified without adjustments to the MSI.

Q: How does Puppet for Windows handle file permissions (AD rights, etc.).  When a file is copied from a share, what permissions are inherited?

Puppet can manage file owner and group per typical Puppet practice. For Windows ACLs, Puppet currently uses an interpretation of Posix-style modes to set permissions, but does not support enforcing more complex ACLs. Josh Cooper (Puppet Labs, Developer) describes the behavior in a little more detail:

If owner, group and mode are unspecified, then [a given] file/dir receive the default ACL for the user Puppet is running as, e.g. LocalSystem. If owner, group, or mode are specified, then Puppet maps the POSIX style permissions to Windows ACLs, similarly to how cygwin does this. Each file/dir is “protected” meaning it does not inherit from higher level containers, so that Puppet can explicitly manage the effective state of the resource.

In the Windows world, using Puppet to manage file ACLs more directly would be hugely useful. The correct approach for managing ACLs would be to create a separate type/provider to apply ACLs on top of managed or unmanaged files. Some discussion to that effect can be found here and a feature request can be found here.

Q: How does Puppet help with backup and disaster recovery for Windows?

Configuration management is all about defining and enforcing the important parts of your configuration in a central revision-controlled “source of truth.” If you use Puppet to define every piece of configuration implemented on a production system, you get two benefits:

1. The first is that if an inadvertent manual change is made to something managed through Puppet and forgotten, at the next agent run the change will be reverted and the remediation step logged in the report sent to the Puppet master.
2. The second benefit is that if the entire system is lost the configuration layer can be rebuilt automatically on a new node and in such a way that you are assured it will be a functional replacement for its lost predecessor. In these ways, Puppet centralizes and tracks configuration of systems allowing individual infrastructure components to become more disposable, as they can be replaced quickly and automatically with a lightweight and portable collection of plain text description.

Puppet is not a replacement for data-layer backups for variable data or database dumps, but it can be used to install and configure client backup software or ensure that scheduled backup jobs exist.

Q: Can I get the status of the installation programmatically from Puppet?

The data flow for a Puppet run is roughly as follows:

1. Facter is run on the agent node and the resulting fact information uploaded to the master node.
2. The fact information for the agent is compiled against the manifests on the master node to produce a catalog. Like all function calls, hiera calls are executed as part of catalog generation and so hiera is run on the master node.
3. The catalog is sent back to the client, which then applies it locally. A report is generated as the catalog is applied.
4. The report is sent back from the agent node to the master.

When the report is received by the master it is sent through a series of report processors, according to the master’s configuration. The report processor API can be used to write custom report processors that will react programmatically to any configuration management event, whether it is a particular resource failure, a resource change, a threshold number of changes, or any other trigger/condition based on the report data. For more information on report processors, click here.

If you would like real-time data about the progress of Puppet runs before the finished report is submitted to the master, open source projects exist to provide this even deeper level of introspection. One such tool is Hunter Haugen’s progress_mq logdest terminus plugin which submits a message to a message bus whenever an event is produced by the puppet application. Readers can then monitor the bus and report in real time the progress of a Puppet run. The progress_mq project can be found here.

Q: Can I do provisioning of an environment using Puppet?

The Puppet Cloud Provisioner tool allows integration with Puppet for the purposes of creating, bootstrapping, and terminating virtual machines using a command-line or Ruby API through Puppet. More information on the Cloud Provisioner can be found here. Also of interest is the early-alpha Razor application, which is designed to provide profile-based bare-metal provisioning. More information on Razor can be found here. The core Puppet application is designed to run on anything from Just Enough Operating System (JeOS) up and so does not address provisioning directly, leaving that up to the Cloud Provisioner, Razor, or other lower-layer applications.

Q: Is there a way to stop an .exe from being installed every 30 minutes? The ‘Package’ resource for a MSI can include the ‘ensure installed’ option. The ‘Exec’ resource will just fire off every time the agent checks in.

The ‘windows’ package provider which ships with Puppet 3.0 can handle arbitrary *.exe installers, can determine whether or not an application needs to be installed, and will not perform extraneous work or reinstallation without a reason. The most common cause of a package resource performing repeat-installation is a name error; the name of the package resource (in Puppet) needs to match exactly the name in Windows (the DisplayName property from Add/Remove Programs) in order for Puppet to detect that the “package” is already installed.

For exec resources check out the “refreshonly”, “creates”, and “unless” parameters. These exec-specific parameters allow for manual specification of condition checks that will determine whether or not to actually run the command specified. Click here for detailed technical information on each of the parameters and what they do.

Learn More

• Check out Part 1: Top Questions on Puppet and Windows
• Register for an upcoming Puppet Enterprise webinar
• Download the Puppet Enterprise + Windows on-demand webinar
• Docs on Puppet and Windows
• Download Puppet Enterprise — the first 10 nodes are free

Last week, I hosted a webinar on Puppet and Puppet Enterprise on Windows. During the half-hour-long demo, I covered a number of items, including how to use Puppet Enterprise to manage Windows machines, and how to manage fundamental resources on Windows (in contrast with the same resources on Linux). I also dove deeper into Windows-specific resources, such as the Windows registry module. Attendees asked a lot of questions that I couldn’t get to, so today I’d like to share the following questions and answers with you. Hopefully you find this helpful. If you have any additional questions on Puppet and Windows, please feel to drop them in the comments below.

Please note: This is part I of a two-part series on Puppet and Windows. There’s more to come in the next couple of days.

Q: As a developer, I see the potential of Puppet, but I struggle at times to communicate it to management. One of the questions I often get is: How is Puppet better than SCCM and/or GPO?

A: System Center Configuration Manager (SCCM) brings to the table a Windows-native tool that is well-integrated with its target software and OS, capable of managing configuration from the provisioning step on up. Puppet is limited to the configuration layer only and does not descend as low as provisioning, and it doesn’t come with a Windows-native GUI for setting up policies. What Puppet does differently than SCCM is offer true infrastructure-as-code configuration management.

Puppet doesn’t depend on a database for any part of the configuration management process (a database for storing and searching reports is optional), and everything it consumes and produces can be reduced to flat files. This makes Puppet easily portable, deployable, simple, and node-disposable. For organizations with a hybrid IT infrastructure, Puppet offers a cross-platform management tool that can capture a complete, lightweight, versioned, automation-executable description of all nodes in human-readable plaintext; not just Windows nodes, not just Linux nodes, all of them.

In terms of technical ability, Puppet core types and providers give a solid spread of out-of-the-box functionality that can be built on per typical Puppet practice to fashion larger abstractions either within the Puppet language or in Ruby. Puppet is explicitly designed to be a highly extensible framework, therefore additional resource types are easy to write, distribute, or find on the Puppet Forge.

All of this, combined with the significantly lower per-node price, make Puppet Enterprise a compelling choice for hybrid Windows/Unix/Linux IT environments, an agile alternative to SCCM, and a tool complementary to Group Policy.

Q: Can the puppet master role be installed on a Windows machine?

A: Puppet Enterprise officially supports Windows Server 2008 R2 and Windows 7, but for the agent role only. The puppet master role must reside on a Linux-based system such as Debian or RedHat.

It’s worth noting that while support is provided only for Server 2008 R2 and Windows 7, the Puppet agent has been demonstrated to run in an unsupported capacity on most Windows releases from Server 2003 up (including 2003, 2003R2, 2008, Vista, and Windows 8).

Q: Does MCollective extend to Puppet on Windows?

A: The MCollective product works on Windows, but MCollective is not included in the Puppet Enterprise 2.7.0 installer for Windows. This is one of the last major bridges in terms of Puppet Enterprise Windows feature-parity with the Linux platforms, so it’s definitely a release we’re working towards.

Q: What plans do you have to help increase availability of Windows-capable modules on Puppet Forge?

A: I pinged Ryan Coleman, Product Owner of the Puppet Forge, for an answer on this question. Below was his response:

“There are two primary drivers of Windows-focused content on the Puppet Forge right now: Puppet Labs development and community contributions.

Modules such as puppetlabs/registry and puppetlabs/dism are examples of the kinds of content we build to enable Windows users with Puppet. Because we have limited resources to devote to these kinds of projects, most of our contributions come from the community. Thankfully, the community has been steadily contributing Windows content to the Puppet Forge. The following search produces 15 results, each a useful module for working with Windows and Puppet: http://forge.puppetlabs.com/modules?q=windows

My responsibility as Product Owner of Puppet Forge is to continue to enable the community to succeed and contribute great content. To that end, I do a number of things to help. I speak at conferences, write blog posts on how to more easily write great modules, and directly mentor community members on their modules when asked. In addition, I’m always on the lookout for work community members have done, and help them get that content onto the Puppet Forge. We also have the module bounty contest which asks the community to provide content we feel is lacking and awards the best contributors. If you have specific needs that aren’t being met, please email ryan@puppetlabs.com with what you’re looking for and I’ll do my best to get a solution onto Puppet Forge.”

Q: Are there any limitations on deploying Puppet modules on Windows?

A: There are no architectural limitations with regards to deploying modules for Windows nodes. Platform support varies between individual published modules depending on the effort invested by the relevant author and contributors, but there are no big-picture concerns specific in any way to modules and Windows.

Q: What techniques do you recommend to avoid having to put paths to particular MSI/EXE installers for particular versions in Puppet modules for Windows?

A: Puppet is about managing the configuration state on a system and leveraging whatever utilities are available in the environment to perform the actual work. On the Linux side, Puppet leverages Yum or Apt repositories to perform the install media retrieval. On the Windows side, there currently isn’t a ubiquitous abstraction that we can leverage in a package provider so much of the logic of schlepping around media that Puppet can use to install software has to be specified as part of the configuration. There are a variety of approaches that can be used. I’ll mention two of them here.

In an environment with Windows file shares available a “depot” can be set up containing the installation media for all managed software. Puppet can be used to connect to this software depot and use it for package sources. The following pseudo-code demonstrates the pattern.

Because I’m not currently aware of a native type/provider for mounting windows shares, an exec resource is used as a stand-in directive to ensure that the depot location is mounted and available. The exec could relatively easily be replaced with a full native “net_use” type and provider written along the same lines as the simondean/net_share module from Puppet Forge.

 # The depot share path and connection information. Could be stored
 # in hiera instead
 $username = 'domain\puppet'
 $password = 'passw0rd'
 $share =  '\\depot\packages'
 $safeshare = regsubst($share, '[\\$]', '.', 'G')
 
 # The `net use` command for the depot_mount exec resource
 $netuse = 'C:\Windows\system32\cmd.exe /c net use'
 
 # An exec resource that makes sure the depot is connected. If it's
 # already connected, do nothing. If it isn't connected, connect
 # to it.
 exec { 'depot_mount':
   command => "$netuse $share /USER:$username $password",
   unless  => "$netuse | FindStr /R \"^OK.*$safeshare\"",
 }
 
 # A package resource. Note specifically that it lists the
 # depot_mount exec as a requirement.
 package { 'Orca':
   ensure          => installed,
   source          => "$share\\orca\\orca-3.0.3790.msi",
   install_options => { 'INSTALLDIR' => 'C:\orca' },
   require         => Exec['depot_mount'],
 }

When the depot pattern doesn’t work or isn’t ideal for a particular environment, another alternative is to use Puppet to ensure that a local copy of the installation media is available before ensuring the package. One way is to ship the files directly from the puppet master node, using it as a fileserver. Another option is to use Puppet Forge modules for alternative file sources, e.g. branan/s3file.

Any of these approaches can be wrapped in a defined type that will use logic or active mechanisms to locate an appropriate package source.

Click here for more information on the type/provider abstraction and how it can be used to build alternative means of ensuring that packages are installed if there is a native utility or repository software that you would like to use with Puppet for retrieving and installing packages.

More to Come

As I mentioned above, there were a number of questions asked at the webinar. Stay tuned for part II of the Puppet Enterprise and Windows blog series, or check out the resources below.

Learn More

• Register for an upcoming Puppet Enterprise webinar
• Download the Puppet Enterprise + Windows on-demand webinar
• Docs on Puppet and Windows
• Download Puppet Enterprise — the first 10 nodes are free