EzDev.org

puppet interview questions

Top 15 puppet interview questions

1707 Jobs openings for puppet


Options for Multisite High Availability with Puppet

I maintain two datacenters, and as more of our important infrastructure starts to get controlled via puppet, it is important the the puppet master work at the second site should our primary site fail.

Even better would be to have a sort of active / active setup so the servers at the second site are not polling over the WAN.

Are there any standard methods of multi-site puppet high availability?


Source: (StackOverflow)

NFS with encrypted ubuntu home directory

I am having trouble getting NFS setup on with vagrant:

On my local machine I have installed NFS:

apt-get install nfs-common nfs-kernel-server

And in my Vagrantfile set it to be used:

config.vm.share_folder("v-root", "/vagrant", ".", :nfs => true)

On vagrant up I get:

exportfs: /home/<user>/path/to/dir does not support NFS export

Mounting NFS shared folders failed. This is most often caused by the NFS
client software not being installed on the guest machine. Please verify
that the NFS client software is properly installed, and consult any resources
specific to the linux distro you're using for more information on how to
do this.

Am I missing a step or two here?

I'm aware of some issues with ubuntus encrypted home folders and NFS but I understand this is only meant to be a problem before boot.

[update] my /etc/exports file looks like this:

# VAGRANT-BEGIN: 5af3e5d6-b086-416d-8eab-987275445634
/home/<user>/path/to/dir 192.168.33.11(rw,no_subtree_check,all_squash,
anonuid=1000,anongid=1000,fsid$
# VAGRANT-END: 5af3e5d6-b086-416d-8eab-987275445634

Source: (StackOverflow)

Pros and Cons of a Decentralized Puppet Architecture

We have around 300 RHEL servers that are currently connecting to a Puppetmaster server. However, we have noticed some performance bottlenecks and it is the point of failure in our system. I am fairly new to puppet in general and I am considering creating a decentralized puppet architecture instead of having Puppet clients connect to the Puppetmaster server. Aside from what I would suspect to happen such as performance gain and lack of signing and exchanging SSL certs for new machines, what are other pros and cons to setting up a decentralized architecture?


Source: (StackOverflow)

Fixing services that have been disabled in /etc/default/ with puppet?

I'm using puppet to (theoretically) get npcd to start upon installation, however on Ubuntu, that service comes installed with the default setting in /etc/default/npcd of RUN="no":

 $ cat /etc/default/npcd 
 # Default settings for the NPCD init script.

 # Should NPCD be started? ("yes" to enable)
 RUN="no"

 # Additional options that are passed to the daemon.
 DAEMON_OPTS="-d -f /etc/pnp4nagios/npcd.cfg"

I would think that this block of puppet config would take care of things:

    service { "npcd":
       enable   => true,
       ensure   => "running",
       require  => Package["pnp4nagios"],
    }   

But alas, it doesn't, and short of actually rewriting the file in /etc/default, I'm not sure what to do. Is there a straightforward way to enable the service that I'm not seeing?

For the record, I'm using Ubuntu 12.04.2 and puppet version 3.1.0.


Source: (StackOverflow)

Adding lines to /etc/profile with puppet?

I use puppet to install a current JDK and tomcat.

package {
    [ "openjdk-6-jdk", "openjdk-6-doc", "openjdk-6-jre",
      "tomcat6", "tomcat6-admin", "tomcat6-common", "tomcat6-docs", 
      "tomcat6-user" ]:
    ensure => present,
}

Now I'd like to add

JAVA_HOME="/usr/lib/java"
export JAVA_HOME

to /etc/profile, just to get this out of the way. I haven't found a straightforward answer in the docs, yet. Is there a recommended way to do this?

In general, how do I tell puppet to place this file there or modify that file? I'm using puppet for a single node (in standalone mode) just to try it out and to keep a log of the server setup.


Source: (StackOverflow)

Managing an application across multiple servers, or PXE vs cfEngine/Chef/Puppet

We have an application that is running on a few (5 or so and will grow) boxes. The hardware is identical in all the machines, and ideally the software would be as well. I have been managing them by hand up until now, and don't want to anymore (static ip addresses, disabling all necessary services, installing required packages...) . Can anyone balance the pros and cons of the following options, or suggest something more intelligent?

1: Individually install centos on all the boxes and manage the configs with chef/cfengine/puppet. This would be good, as I have wanted an excuse to learn to use one of applications, but I don't know if this is actually the best solution.

2: Make one box perfect and image it. Serve the image over PXE and whenever I want to make modifications, I can just reboot the boxes from a new image. How do cluster guys normally handle things like having mac addresses in the /etc/sysconfig/network-scripts/ifcfg* files? We use infiniband as well, and it also refuses to start if the hwaddr is wrong. Can these be correctly generated at boot?

I'm leaning towards the PXE solution, but I think monitoring with munin or nagios will be a little more complicated with this. Anyone have experience with this type of problem?

All the servers have SSDs in them and are fast and powerful.

Thanks, matt.


Source: (StackOverflow)

Configuration management: push versus pull based topology

The more established configuration management (CM) systems like Puppet and Chef use a pull-based approach: clients poll a centralized master periodically for updates. Some of them offer a masterless approach as well (so, push-based), but state that it is 'not for production' (Saltstack) or 'less scalable' (Puppet). The only system that I know of that is push-based from the start is runner-up Ansible.

What is the specific scalability advantage of a pull based system? Why is it supposedly easier to add more pull-masters than push-agents?

For example, agiletesting.blogspot.nl writes:

in a 'pull' system, clients contact the server independently of each other, so the system as a whole is more scalable than a 'push' system

On the other hand, Rackspace demonstrates that they can handle 15K systems with a push-based model.

infastructures.org writes:

We swear by a pull methodology for maintaining infrastructures, using a tool like SUP, CVSup, an rsync server, or cfengine. Rather than push changes out to clients, each individual client machine needs to be responsible for polling the gold server at boot, and periodically afterwards, to maintain its own rev level. Before adopting this viewpoint, we developed extensive push-based scripts based on ssh, rsh, rcp, and rdist. The problem we found with the r-commands (or ssh) was this: When you run an r-command based script to push a change out to your target machines, odds are that if you have more than 30 target hosts one of them will be down at any given time. Maintaining the list of commissioned machines becomes a nightmare. In the course of writing code to correct for this, you will end up with elaborate wrapper code to deal with: timeouts from dead hosts; logging and retrying dead hosts; forking and running parallel jobs to try to hit many hosts in a reasonable amount of time; and finally detecting and preventing the case of using up all available TCP sockets on the source machine with all of the outbound rsh sessions. Then you still have the problem of getting whatever you just did into the install images for all new hosts to be installed in the future, as well as repeating it for any hosts that die and have to be rebuilt tomorrow. After the trouble we went through to implement r-command based replication, we found it's just not worth it. We don't plan on managing an infrastructure with r-commands again, or with any other push mechanism for that matter. They don't scale as well as pull-based methods.

Isn't that an implementation problem instead of an architectural one? Why is it harder to write a threaded push client than a threaded pull server?


Source: (StackOverflow)

Puppet and launchd services?

We have a production environment configured with Puppet, and want to be able to set up a similar environment on our development machines: a mix of Red Hats, Ubuntus and OSX. As might be expected, OSX is the odd man out here, and sadly, I'm having a lot of trouble with getting this to work.

My first attempt was using macports, using the following declaration:

package { 'rabbitmq-server':
    ensure   => installed,
    provider => macports,
}

but this, sadly, generates the following error:

Error: /Stage[main]/Rabbitmq/Package[rabbitmq-server]: Could not evaluate: Execution of '/opt/local/bin/port -q installed rabbitmq-server' returned 1: usage: cut -b list [-n] [file ...]
       cut -c list [file ...]
       cut -f list [-s] [-d delim] [file ...]
    while executing
"exec dscl -q . -read /Users/$env(SUDO_USER) NFSHomeDirectory | cut -d ' ' -f 2"
    (procedure "mportinit" line 95)
    invoked from within
"mportinit ui_options global_options global_variations"

Next up, I figured I'd give homebrew a try. There is no package provider available by default, but puppet-homebrew seemed promising. Here, I got much farther, and actually managed to get the install to work.

package { 'rabbitmq':
    ensure   => installed,
    provider => brew,
}
file { "plist":
    path   => "/Library/LaunchDaemons/homebrew.mxcl.rabbitmq.plist",
    source => "/usr/local/opt/rabbitmq/homebrew.mxcl.rabbitmq.plist",
    ensure => present,
    owner  => root,
    group  => wheel,
    mode   => 0644,
}
service { "homebrew.mxcl.rabbitmq":
    enable      => true,
    ensure      => running,
    provider    => "launchd",
    require     => [ File["/Library/LaunchDaemons/homebrew.mxcl.rabbitmq.plist"] ],
}

Here, I don't get any error. But RabbitMQ doesn't start either (as it does if I do a manual load with launchctl)


    [... snip ...]
    Debug: Executing '/bin/launchctl list'
    Debug: Executing '/usr/bin/plutil -convert xml1 -o /dev/stdout
        /Library/LaunchDaemons/homebrew.mxcl.rabbitmq.plist'
    Debug: Executing '/usr/bin/plutil -convert xml1 -o /dev/stdout
        /var/db/launchd.db/com.apple.launchd/overrides.plist'
    Debug: /Schedule[weekly]: Skipping device resources because running on a host
    Debug: /Schedule[puppet]: Skipping device resources because running on a host
    Debug: Finishing transaction 2248294820
    Debug: Storing state
    Debug: Stored state in 0.01 seconds
    Finished catalog run in 25.90 seconds

What am I doing wrong?

Edit: For the record, we're now doing this with Vagrant VMs instead on our OSX machines, but the native solution would still be preferred.


Source: (StackOverflow)

Puppet: ensure a file is empty

I would like to be sure that the motd file is empty. I would love to do like this:

file { "/etc/motd":
  ensure => empty
}

This obviously does not work.

Is there a simple way to ensure a file is empty instead using the "source" declaration and store an empty file in the file repository?


Source: (StackOverflow)

What are the right questions to ask when deciding whether to use Chef or Puppet?

I am about to start a new project which will, in part, require deploying many identical nodes of approximately three different classes:

  • Data nodes, which will run sharded instances of MongoDB.
  • Application nodes, which will run instances of a Ruby on Rails application and an older ASP.NET MVC application.
  • Processing nodes, which will run jobs requested by the application nodes.

All the nodes will run on instances of Ubuntu 10.04, though they will have different packages installed.

I have some familiarity with Chef from previous projects, though I don't consider myself an expert. In an effort to do due diligence, I have been investigating alternative possibilities. We have a number of folks in-house who are long-time Puppet users, and they have encouraged me to take a look.

I am having trouble evaluating both choices, though. Chef and Puppet share many of the same domain terminology -- packages, resources, attributes, and so on, and they have a common history that stems from taking different approaches to the same problem. So in some sense they are very similar. But much of the comparison information I've found, like this article, is a little outdated.

If you were starting this project today, what questions would you ask yourself to decide whether you should use Chef or Puppet for configuration management? (Note: I don't want answer to the question "Should I use Chef or Puppet?")


Source: (StackOverflow)

What's the strengths and weaknesses of existing configuration management systems? [closed]

I was looking up here for some comparisons between CFEngine, Puppet, Chef, bcfg2, AutomateIt and whatever other configuration management systems might be out there, and was very surprised I could find very little here on Server Fault. For instance, I only knew of the first three links above -- the other two I found on a related google search.

So, I'm not interested in what people think is the best one, or which they like. I'd like to know the following:

  1. Configuration Management System's name.
  2. Why it was created (as opposed to using an existing solution).
  3. Relative strengths.
  4. Relative weaknesses.
  5. License.
  6. Link to project and examples.

Source: (StackOverflow)

Could not find class, and yet it is there

When doing a puppet agent call from a new image, I'm getting a err: Could not find class custommod error. The module itself is in /etc/puppet/modules/custommod same as all of the other modules we're calling, but this one is obstinante.

[site.pp]

node /clunod-wk\d+\.sub\.example\.local/ {
      include base
      include curl
      include custommod
      class{ "custommod::apps": frontend => "false}
      [...]
}

When the puppetmaster is run with debug output, it clearly finding the information for base and curl:

debug: importing '/etc/puppet/modules/base/manifests/init.pp' in environment production
debug: Automatically imported base from base into production
debug: importing '/etc/puppet/modules/curl/manifests/init.pp' in environment production
debug: Automatically imported curl from curl into production
err: Could not find class custommod for clunod-wk0130.sub.example.local at /etc/puppet/manifests/site.pp:84 on node clunod-wk0130.sub.example.local

Line 84 is include custommod

An abbreviated directory and file structure:

/etc/puppet
   |- manifests
   |     |- site.pp
   |
   |- modules
         |- base
         |    |- manifests
         |          |- init.pp
         |
         |- curl
         |    |- manifests
         |          |- init.pp
         |   
         |- custommod
              |- files 
              |     |- apps
              |         |- [...]
              |
              |- manifests
                    |- init.pp
                    |- apps.pp

I did check spelling :}

The content of init.pp in the custommod directory is completely unremarkable:

class custommod {
}

The intent is to create an empty class for the apps.pp file, which is where the meat is.

class custommod::apps {

    [lots of stuff]
}

Only, it's never getting to the apps file. If I comment out the include custommod, the above error is generated on the class{ "custommod::apps": frontend => "false} line instead.

What am I missing in my hunt to find out how this error is being generated? I need to note that this repo works just fine if it is run locally via puppet apply.


Source: (StackOverflow)

Puppet: Node name seems dependent on reverse dns?

I seem to be running into a little bit of a problem understanding how to get this to work. I have a new server I'm building sitting behind the office NAT at work, its reverse dns maps to office.mydomain.com, but I want the machine to be ns2.mydomain.com for the sake of puppet.

nodes.pp snippet:

node 'ns2.mydomain.com' inherits basenode {
  info('ns2.mydomain.com')
}

node 'office.mydomain.com' inherits basenode {
  info('office.mydomain.com')
}

And my 'puppet.conf' on the client:

[main]
#was node_name=ns2.mydomain.com
#was fqdn=ns2.mydomain.com
certname=ns2.mydomain.com
node_name=cert

My syslog on the server reports:

Sep 16 22:59:12 support puppetmasterd[2800]: Host is missing hostname and/or domain: office.mydomain.com
Sep 16 22:59:12 support puppetmasterd[2800]: (Scope(Node[office.mydomain.com])) office.mydomain.com
Sep 16 22:59:12 support puppetmasterd[2800]: Compiled catalog for office.mydomain.com in 0.03 seconds
Sep 16 22:59:12 support puppetmasterd[2800]: Caching catalog for ns2.mydomain.com

How can I make it grab the config for ns2.mydomain.com without doing something like this:

node 'ns2.mydomain.com' inherits basenode {
  info('ns2.mydomain.com')
}

node 'office.mydomain.com' inherits 'ns2.mydomain.com' {
  info('office.mydomain.com')
}

UPDATE: This problem seems to be causing other issues as well. For instance if I info("$fqdn") while the machine is sitting behind office.mydomain.com the fqdn fact is empty, as well as the $operatingsystem. Its almost like the facts aren't being discovered properly. Is there perhaps a NAT issue? Are there any suggestions for tracking down this cause of this problem?


Source: (StackOverflow)

How to update a package using puppet and a .deb file

I am trying to figure out the proper way to update/upgrade a deb package using puppet from a local source deb file. My current config looks like this...

class adobe-air-2-0-4 {

  file { "/opt/air-debs":
    ensure => directory
  }

  file { "/opt/air-debs/adobeair-2.0.4.deb":
    owner   => root,
    group   => root,
    mode    => 644,
    ensure  => present,
    source  => "puppet://puppet/adobe-air-2-0-4/adobeair-2.0.4.deb"
  }

  package { "adobeair":
    provider => dpkg,
    ensure => installed,
    source => "/opt/air-debs/adobeair-2.0.4.deb"
  }

}

I first copy the deb file down to the client machine and then use 'package' with the provider set to 'dpkg'. This works and I get the correct version installed.

My question is what is the proper way to update this package in the future. Can I simply change out the source file and puppet will know that it's a different version and update this package? How does puppet determine what version of a package it has installed versus the version of the source deb file?

I am pretty new to puppet, so if you have an suggestions for improvements to my existing config they are very much appreciated.


Source: (StackOverflow)

Puppet Security and Network Topologies

Background:

I am finally setting aside some time to join the 21st Century and look at Puppet.

As it stands today we version control all server configurations in a repository that is held internally at the office. When an update needs making, the changes are checked back into the repos and manually pushed out to the machine in question. This usually means SFTP'ing to the remote machine and then moving files into place, with the relevant permissions, from a shell.

So I am hopeful that Puppet is going to be an simple yet amazing extension to what we already have.

Now I consider the process that we currently have to be reasonably secure. On the assumption that our internal network will always be relatively more secure than the public networks in our datacentres.

  • The process is always one way. Changes traverse from a secure environment to insecure and never the other way round.

  • The master store is in the safest possible place. The risk of compromise, either by stealing configurations or sending out malicious modifications, is greatly reduced.

Question:

From what I understand of the Puppet server/client model is that the clients poll and pull updates down directly from the server. The traffic is SSL wrapped so cannot be intercepted or spoofed. But it differs from what we currently do because the Puppet server[s] would need to be hosted in a public location. Either centrally, or one for each datacentre site that we maintain.

So I am wondering:

  • Am I being unnecessarily paranoid about the change from push to pull?

  • Am I being unnecessarily paranoid about centrally storing all of that information on a public network?

  • How are others maintaining multiple networks - separate server for each site?


Update 30/07/09:

I guess that one of my other big concerns is placing so must trust in a single machine. The puppetmaster(s) would be firewalled, secured and such. But even so any public machine with listening services has an attack surface of a certain size.

Presumably if the master has permission to update any file on any one of the puppet clients, then it's compromise would ultimately result in the compromise of all it's clients. The "kings to the kingdom" so to speak.

  • Is that hypothesis correct?

  • Is there any way that it can be mitigated?


Source: (StackOverflow)