Monday, December 15, 2014

Puppet cert inspector

Today while poking around in the puppet source code, I came across a utility in the ext/ directory called cert_inspector. This seems to be a little utility that opens up certificates and interrogates them for useful data. This is better than what I usually do, which is incanting openssl directly. It also is capable of chewing up an entire /var/lib/puppet/ssl directory and dumping information on every cert and key it finds. See the output below:



 (master u=)$: ./ext/cert_inspector ~/.puppet/ssl/certs/ca.pem
/home/nibz/.puppet/ssl/certs/ca.pem:
  Certificate assigning name /CN=Puppet CA: zabava.cat.pdx.edu to key</CN=Puppet CA: zabava.cat.pdx.edu>
    serial number 1
    issued by /CN=Puppet CA: zabava.cat.pdx.edu
    signed by key</CN=Puppet CA: zabava.cat.pdx.edu>

 (master u=)$: ./ext/cert_inspector ~/.puppet/ssl/
WARNING: file "/home/nibz/.puppet/ssl/public_keys/hunner_what_r_u_doin.pem" could not be interpreted
WARNING: file "/home/nibz/.puppet/ssl/public_keys/hunner_stahp.pem" could not be interpreted
WARNING: file "/home/nibz/.puppet/ssl/public_keys/maxwell.hsd1.or.comcast.net.pem" could not be interpreted
WARNING: file "/home/nibz/.puppet/ssl/public_keys/hunner.pem" could not be interpreted
/home/nibz/.puppet/ssl/certs/ca.pem:
  Certificate assigning name /CN=Puppet CA: zabava.cat.pdx.edu to key</CN=Puppet CA: zabava.cat.pdx.edu>
    serial number 1
    issued by /CN=Puppet CA: zabava.cat.pdx.edu
    signed by key</CN=Puppet CA: zabava.cat.pdx.edu>

/home/nibz/.puppet/ssl/certificate_requests/hunner.pem:
  Certificate request for /CN=hunner having key key</CN=hunner>
    signed by key</CN=hunner>

/home/nibz/.puppet/ssl/certificate_requests/hunner_stahp.pem:
  Certificate request for /CN=hunner_stahp having key key</CN=hunner_stahp>
    signed by key</CN=hunner_stahp>

/home/nibz/.puppet/ssl/certificate_requests/hunner_what_r_u_doin.pem:
  Certificate request for /CN=hunner_what_r_u_doin having key key</CN=hunner_what_r_u_doin>
    signed by key</CN=hunner_what_r_u_doin>

/home/nibz/.puppet/ssl/private_keys/hunner.pem:
  Private key for key</CN=hunner>

/home/nibz/.puppet/ssl/private_keys/hunner_stahp.pem:
  Private key for key</CN=hunner_stahp>

/home/nibz/.puppet/ssl/private_keys/hunner_what_r_u_doin.pem:
  Private key for key</CN=hunner_what_r_u_doin>

/home/nibz/.puppet/ssl/private_keys/maxwell.hsd1.or.comcast.net.pem:
  Private key for key</home/nibz/.puppet/ssl/private_keys/maxwell.hsd1.or.comcast.net.pem>

Tuesday, December 9, 2014

Testing Puppet node definitions

Sometimes Puppet node definitions get a little hairy. Here is a quick trick I use to validate them manually. This is inspired by this review.

Given a regex node definition create a test file called node.pp:

node /^git(-frontend\d+)?\.openstack\.org$/ { 
  notify { 'match': }


 Then, using the --certname="testnode" syntax to puppet apply, do some quick spot testing to see what happens.

$: puppet apply nodedef.pp 
Error: Could not find default node or by name with 'maxwell.pdx.edu, maxwell.pdx, maxwell' on node maxwell.pdx.edu
Error: Could not find default node or by name with 'maxwell.pdx.edu, maxwell.pdx, maxwell' on node maxwell.pdx.edu
$: puppet apply --certname='git.openstack.org' nodedef.pp  
Notice: Compiled catalog for git.openstack.org in environment production in 0.02 seconds
Notice: match
Notice: /Stage[main]/Main/Node[git-frontendd.openstack.org]/Notify[match]/message: defined 'message' as 'match'
Notice: Finished catalog run in 0.03 seconds
$: puppet apply --certname='git48.openstack.org' nodedef.pp  
Error: Could not find default node or by name with 'git48.openstack.org, git48.openstack, git48, maxwell.pdx.edu, maxwell.pdx, maxwell' on node git48.openstack.org
Error: Could not find default node or by name with 'git48.openstack.org, git48.openstack, git48, maxwell.pdx.edu, maxwell.pdx, maxwell' on node git48.openstack.org
$: puppet apply --certname='git-frontend01.openstack.org' nodedef.pp  
Notice: Compiled catalog for git-frontend01.openstack.org in environment production in 0.02 seconds
Notice: match
Notice: /Stage[main]/Main/Node[git-frontendd.openstack.org]/Notify[match]/message: defined 'message' as 'match'
Notice: Finished catalog run in 0.03 seconds 
 
  
This gives us the confidence to push this node definition to production without worrying about affecting existing git servers.

Monday, December 8, 2014

#puppethack

#puppethack is the new version of the Puppet triage-a-thon. It is a decentralized hackathon for open source Puppet projects. This year I participated mostly by contributing to the puppetlabs-rabbitmq module. I worked closely with Colleen Murphy of Puppet Labs on this.

When we started there were 31 outstanding pull requests. Now there are only 21.  And five of those have been opened during or after the hackathon.


I am most proud of my beaker testing PR which added beaker (acceptance and integration) testing to the rabbitmq_user, rabbitmq_vhost, and rabbitmq_policy types.

Overall #puppethack was a success and I am glad I participated. I want to thank my employer, HP, for allowing me to participate in the open source ecosystem. I am looking forward to doing it next year!

Sunday, December 7, 2014

Puppet Functions in stdlib

You should read up on the Puppet Functions in puppetlabs/stdlib. Seriously.

If you consider yourself a serious Puppet user, i.e. you use it more than twice a month, you owe it to yourself to read through them. The README has a brief description of the functions that are available. Every time I read through it, I find more useful functions have been added. And with stronger protections for function composability, there is no reason not to use functions all the time, every time.

Even if all you do is learn about the existence of the validation functions, you will be able to in two lines of code make your code more robust and easier on users.

For extra credit check out the puppet-community extlib module which has more functions not deemed cool enough for puppet core.

To eat my own words, I'll now post some functions whose existence I did not know about:

  • chomp
  • chop
  • defined_with_params
  • diference
  • delete_undef_values
  • empty (OMG USEFUL)
  • get_param (this changes eveeeeerything)
  • private
  • reject (duuuuuudeee)
  • squeeze
Happy hacking, fellow Puppeteers!