Sunday, November 22, 2015


This week I attended FOSSETCON in Orlando, Florida. I had the opportunity to meet a number of free/open source software leaders, and they took the opportunity to make me feel very included. Overall I had a great time.

I was able to present twice at this conference, due to a comedy of errors around scheduling. I enjoyed giving both talks immensely and I will be talking again on these subjects I am sure.

On Friday I spoke on Tinc and Consul, a private mesh networking tool which we then overlaid with service discovery. Using these together is a pet project some personal friends and I have been working on for some time. I was able to focus mostly on the tinc components of our infrastructure. After the talk, I was mobbed by people wanting to use tinc to flatten a network somewhere in their infrastructure. I admit I had not even considered that application! Amusingly my talk made the "news" section of the tinc website. I want to especially thank Ben Kero for stepping up to give this talk and for writing the first draft of the slides. I did a live demo of tinc providing security for NFS, then played fullscreen video over NFS over the internet on conference wifi! I had an Awesome Audience!

My slides can be viewed at:
And the source to generate them can be found at:
And if you don't like speakerdeck the raw pdf is here:

On Saturday I spoke on OpenStack. This was a talk I inherited from Monty Taylor, who couldn't be there due to a scheduling conflict. I spoke on how OpenStack is a functioning platform and that the success of Infra project is evidence of that. I then talked about the rougher spots in OpenStack right now, particularly in abstractions that leak deployment details. I then introduced the OpenStack Client-Config and Shade efforts as a way to ameliorate that.

The source to generate my slides can be found at:
The cannonical version that Monty gave and I edited slightly is viewable at:
A video of Monty giving the talk about six months ago:

Of the talks I saw at FOSSETCON two stand out to me. The first was the introduction and demo of Oh My Vagrant by James (just James). In this talk, James took us through Vagrant (sneakily running through libvirt instead of virtualbox) into docker and then all the way to kubernetes. James did lose some people along this lightning ride but for those of us that kept up it was quite enjoyable and informative.

The second talk I enjoyed was Marina Zhurakhinskaya's talk on diversity at the closing keynote. She had some concrete advice and I took a couple key items away from her talk that I will be applying to the communities I have influence in. The most surprising tip to me (but not really once you think about it) was the need for there to be a room for new mothers at conferences. If we require (by law) for companies to provide this resource, it makes sense to make an effort to provide it at a conference with hundreds of attendees. The slides from Marina's talk can be found here.

Overall FOSSETCON was a great conf. I met so many new people, and I connected with people like Deb Nicholson that I had met before but never gotten to know well. I would definitely compare it to SeaGL on the west coast. It has the same low-budget, high-community, minimal-coporate feel that makes it ok to talk about free software without a direct application to business needs. At the conf I got turned on to SELF which I plan to apply to soon.

I strongly recommend you attend FOSSETCON 2016 if you are in the central Florida area next November.

Friday, August 21, 2015

Upgrading to Puppetlabs-Apt 2.0

The Puppetlabs Apt module went through a major change earlier this year. It crossed a semver boundary and released as 2.0. This is one of the only cases we've had as a community where a core module has moved over a major version. The initial reaction to Apt 2.0 was everyone quickly pinning their modules to use < 2.0. Morgan, Daenney and the puppetlabs modules team quickly pushed out a 2.1.0 release which is backwards compatible with some core functionality inside the Apt module. It is important to note that not everything is backwards compatible, only a few things.

At OpenStack-Infra, we wanted to use the latest version of bfraser's graphana module but it requires apt >= 2.0. Paul spun up a change to our main repository and then several more changes to move to the new syntax. Here is an example.

Why does this work? Because apt::key was added back in 2.1.0 to be compatible with older apt versions. See the warning that it will generate here. Because of this, you can upgrade apt in place safely, provided you are not use the gnarlier parts of the old Apt module. Notably the unattended-upgrades subsection has been moved out into its own module.

I encourage those of you running an infrastructure to follow our lead and upgrade your Apt module. I encourage those of you maintaining and releasing modules to bump your minimum version of Apt to => 2.1. I believe there is a requirement for some velocity in this. If we wait too long, too many new users of Puppet will be caught across a schism of the apt module. That is, unless everyone just runs RedHat anyways.

Monday, August 10, 2015

Just What Is OpenStack Infra?

I work for HP doing two things. By day I work inside the HP firewall setting up and running a CI system for testing HP's OpenStack technology. We call this system Gozer. (By the way we are hiring). By night I work upstream (in the Open Source world) with the OpenStack Infrastructure Team setting up and running a CI system for OpenStack developers.

This blog post concerns my work upstream.

One of my chief initiatives since joining the team two years ago is to make the Puppet codebase used by infra more in-line with standards, more reusable, and generally better. I have never attempted to use infra as a testbed for experimental uses of Puppet, I've always tried to apply the best practices known in the community. Of course there are exceptions to this (see all the Ansible stuff). This initiative is codified in a few different specifications accepted by the team (you don't need to read these):

One mark of the success of this ongoing initiative is that I am now in a place where I am recommending parts of our code to other people in my community. Those are the people for whom I intend this blog post. Someone sees a neat part of the Puppet OpenStack 'stuff' and wants to use it, but it needs a patch or a use case covered. This blog post is supposed to provide a high level overview of what we do, who 'we' are, and the bigger pieces and how they interact with each other. We'll start with a long series of names and definitions.

Naming things is hard

So what is OpenStack? OpenStack is an Open Source software collection based around providing cloud software. The OpenStack Foundation is a nonprofit organization that provides centralized resources to support the effort, this comes in both technical (sysadmins) and other forms (legal, conference organizing, etc). OpenStack is made up of many components, the simplest is that 'nova' provides a compute layer to the cloud i.e. kvm or xen management.

OpenStack can be installed with Puppet. The Puppet code that does this is called "OpenStack Puppet Modules." These modules install OpenStack services such as nova, glance, and cinder. Their source code is available by searching for openstack/puppet-*. The team that develops this code is called the OpenStack Puppet Module Team. This team uploads to the forge under the namespaces 'openstack' or 'stackforge.'

I do not work with these modules on a daily basis.

I work with the OpenStack Infrastructure Team. This team deploys and maintains the CI system used by OpenStack upstream developers. We have our own set of Puppet modules that are completely unrelated to the OpenStack Puppet Modules. Their source code can be found by searching for openstack-infra/puppet-*. These modules are uploaded under the forge namespaces 'openstackci' and 'openstackinfra.' We use these modules to deploy services like Gerrit, Jenkins, and Drupal. We also have a number of utility modules useful for generic Linux administration. We have Precise, Trusty, Centos 6, and various Fedora flavors in our infrastructure, so our modules often have good cross-platform support.

Central Nexus

All the openstack-infra/puppet-* modules are consumed from master by our 'central nexus' repository: system-config. System-config uses a second repository for flat-files: project-config. System-config contains node definitions, public hiera data(soon), a few utility scripts, a modules.env file, a single module to stick 'roles' in called 'openstack_project'. The more 'core' roles in openstack_project call out to another repo called: puppet-openstackci. The secrets are stored in a hiera directory that is not public.

Crude Drawing

The crude drawing above shows a typical flow. A node definition lives in site.pp, which include a role class from openstack_project, which includes a role class from the openstackci module, which then uses resources and classes from the other modules, in this case puppet-iptables.

There are other code paths too. Sometimes, often in fact, an openstack_project role will include openstack_project::server or openstack_project::template, these classes wrap up most of the 'basics' of linux administration. Template or server will go on to include more resources.

There are multiple places to integrate here. At the most basic, a Puppet user could include our puppet-iptables module in their modulepath and start using it. An individual who wants a jenkins server or another server like ours could use openstackci and it's dependencies and write their own openstack_project wrapper classes to include openstackci classes.

We do not encourage site.pp or openstack_project classes to be extended at this time, we instead encourage features or compatibility extensions to be put into openstackci or the service-specific modules themselves. This is a work in progress and some important logic still lives in openstack_project and should be moved out. A stretch-goal is to move to a place where all of openstack infra runs out of openstackci, providing only a hiera yaml file to set parameters.

Continuous Deployment

A note about modules.env: OpenStack-infra has a modules.env file instead of a Puppetfile. This file contains the location, name, and ref of git repositories to put inside the modulepath on the Puppetmaster. OpenStack infra deploys all of its own Puppet modules from master, so any change to any module can break the whole system. We counteract this danger by having lots of testing and code review before any change goes through.

A note about project-config: One of the patterns we use in OpenStack Infra is to push our configuration into flat files as much as possible. We have one repository, project-config, which holds files that control the behaviour of our services, Puppet's job is only to copy files out of the repo and into the correct location. This makes it easier for people to find these often-changed files, and means we can provide more people access to merge code there than we would with our system-config repository.

A note about puppet agent: We run puppet-agent, but it is fired from the Puppetmaster by an ansible run. We hope to move to puppet apply triggered by ansible soon.

The part where I give you things

There are two modules right now that you might be interested in using yourself. The first is our puppet-httpd module. This module was forked from puppetlabs-apache at version 0.0.4. It has seen some minor improvements from us but nothing major, other than a name change from 'apache' to 'httpd'. You can see why we forked in the Readme of the project but the kicker is that this module allows you to use raw 'myhost.vhost.erb' templates with apache. You no longer need to know how to translate the apache syntax you want into puppetlabs-apache parameters. Let's see what this looks like:

# ************************************
# Managed by Puppet
# ************************************

NameVirtualHost <%= @vhost_name %>:<%= @port %>
<VirtualHost <%= @vhost_name %>:<%= @port %>>
  ServerName <%= @srvname %>
<% if @serveraliases.is_a? Array -%>
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
<% elsif @serveraliases != '' -%>
<%= " ServerAlias #{@serveraliases}" %>
<% end -%>
  DocumentRoot <%= @docroot %>

  Alias /bugday /srv/static/bugdaystats
  <Directory /srv/static/bugdaystats>
      AllowOverride None
      Order allow,deny
      allow from all

  Alias /reviews /srv/static/reviewday
  <Directory /srv/static/reviewday>
      AllowOverride None
      Order allow,deny
      allow from all

  Alias /release /srv/static/release

  <Directory <%= @docroot %>>
    Options <%= @options %>
    AllowOverride None
    Order allow,deny
    allow from all

  # Sample elastic-recheck config file, adjust prefixes
  # per your local configuration. Because these are nested
  # we need the more specific one first.
  Alias /elastic-recheck/data /var/lib/elastic-recheck
  <Directory /var/lib/elastic-recheck>
      AllowOverride None
      Order allow,deny
      allow from all

  RedirectMatch permanent ^/rechecks(.*) /elastic-recheck
  Alias /elastic-recheck /usr/local/share/elastic-recheck
  <Directory /usr/local/share/elastic-recheck>
      AllowOverride None
      Order allow,deny
      allow from all

  ErrorLog /var/log/apache2/<%= @name %>_error.log
  LogLevel warn
  CustomLog /var/log/apache2/<%= @name %>_access.log combined
  ServerSignature Off

::httpd::vhost { '':
  port     => 80,
  priority => '50',
  docroot  => '/srv/static/status',
  template => 'openstack_project/status.vhost.erb',
  require  => File['/srv/static/status'],


If you don't need a vhost and just want to serve a directory, you can:

::httpd::vhost { '':
  port     => 80,
  priority => '50',
  docroot  => '/srv/static/tarballs',
  require  => File['/srv/static/tarballs'],


The second is puppet-iptables, which provides the ability to spit direct iptables rules into a Puppet class and have those rules set. You can also specify the ports to open up. Again this is an example of weak modeling. Concat resources around specific rules are coming soon in this change. Let's see what using the iptables module looks like:

class { '::iptables':
  public_tcp_ports => ['80', '443', '8080'],
  public_udp_ports => ['2003'],
  rules4           => ['-m state --state NEW -m tcp -p tcp --dport 8888 -s -j ACCEPT'],
  rules6           => ['-m state --state NEW -m tcp -p tcp --dport 8888 -s -j ACCEPT'],

This enables you to manage iptables the way you view iptables. It is easy to debug, easy to reason about, and extensible. We think it provides a significant advantage over the puppetlabs-firewall module. Unfortunately, the puppet-iptables module currently is hardcoded to open up certain openstack hosts, that should be fixed very soon (possibly by you!). Both of these modules try to be as simple as possible.

Getting these modules right now is done through git. If you don't want to ride the 'master' train with us, you can hop in #openstack-infra on freenode and ask for a tag to be created at the revision you need. We're working on getting forge publishing in to the pipeline, it's not a priority for us right now but if you need it you can ask for it and we can see about increasing focus there.

There are two generic modules that advance the puppet ecosystem coming out of OpenStack Infra and we hope there will be more to come. If you'd like to help us develop these modules we'd love the help. You can start learning how to contribute to OpenStack here.

Saturday, August 1, 2015

Inspecting Puppet Module Metadata

Last week at #puppethack, @hunner helped me land a patch to stdlib to add a load_module_metadata function. This function came out of several Puppet module triage sessions and a patch from @raphink inspired by a conversation with @hirojin.

The load_module_metadata function is available in master of puppetlabs-stdlib, hopefully it will be wrapped up into one of the later 4.x releases, but will almost certainly make it into 5.x.

On it's own this function doesn't do much, but it is composable. Let's see some basic usage:

$: cat metadata.pp

$metadata = load_module_metadata('stdlib')

notify { $metadata['name']: }

$: puppet apply --modulepath=modules metadata.pp
Notice: Compiled catalog for hertz in environment production in 0.03 seconds
Notice: puppetlabs-stdlib
Notice: /Stage[main]/Main/Notify[puppetlabs-stdlib]/message: defined 'message' as 'puppetlabs-stdlib'
Notice: Finished catalog run in 0.03 seconds

As you can see this isn't the most amazing thing ever. However access to that information is very useful in the following case:

$apache_metadata = load_module_metadata('apache')

case $apache_metadata['name'] {
  'puppetlabs-apache': {
    # invoke apache as required by puppetlabs-apache
  'example42-apache': {
    # inovke apache as required by example42-apache
  default: {
    fail("Apache module author not recognized, please add it here")

This is an example of Puppet code that can inspect the libraries loaded in the modulepath, then make intelligent decisions about how to use them. This means that module authors can support multiple versions of 'library' modules and not force their users into one or the other.

This is a real problem in Puppet right now. For every 'core' module there are multiple implementations, with the same name. Apache, nginx, mysql, archive, wget, the list goes on. Part of this is a failure of the community to band behind a single module, but we can't waste time finger pointing now. The cat is out of the bag and we have to deal with it.

We've had metadata.json and dependencies for a while now. However, due to the imperfectness of the puppet module tool, most advanced users do not depend on dependency resolution from metadata.json. At my work we simply clone every module we need from git, users of r10k do much the same.

load_metadata_json enables modules to enforce that their dependencies are being met. Simply put a stanza like this in params.pp:

$unattended_upgrades_metadata = load_module_metadata('unattended_upgrades') 
$healthcheck_metadata = load_module_metadata('healthcheck')

if versioncmp($healthcheck_metadata['version'], '0.0.1') < 0 {
  fail("Puppet-healthcheck is too old to work")
if versioncmp($unattended_upgrades_metadata['version'], '2.0.0') < 0 {
  fail("Puppet-unattended_upgrades is too old to work")

As we already saw, modules can express dependencies on specific implementations and versions. They can also inspect the version available and use that. This is extremely useful when building a module that depends on another module, and that module is crossing a symver major version boundary. In the past, in the OpenStack modules, we passed a parameter called 'mysql_module_version' to each class which allowed that class to use the correct invocation of the mysql module. Now classes anywhere in your puppet code base can inspect the mysql module directly and determine which invocation syntax to use.

$mysql_metadata = load_module_metadata('mysql')

if versioncmp($mysql_metadata['version'], '2.0.0') <= 0 {
  # Use mysql 2.0 syntax
} else {
  # Use mysql 3.0 syntax

Modules can even open up their own metadata.json, and while it is clunky, it is possible to dynamically assert that dependencies are available and in the correct versions.

I'm excited to see what other tricks people can do with this. I'm anticipating it will make collaboration easier, upgrades easier, and make Puppet runs even more safe. If you come up with a neat trick, please share it with the community and ping me on twitter(@nibalizer) or IRC: nibalizer.

Sunday, May 10, 2015

Managing patchset stacks with git-review

In OpenStack, we use gerrit and git-review to propose changes to the repository. The workflow for that is pretty complicated, and downright confusing if you are coming from the github workflow.

One of the places where it gets hard/complicated/annoying to use our workflow is if you have multiple dependent changes. I have a technique I use, that I will present below.

The situation: You have two patches in a stack. There is a bug in the first patchset that you need to fix.

The simple play: Checkout the patchset with 'git review -d <review number>', ammend and git-review. The problem with this is that now you need to go rebase all dependent patchsets against this new review. Sometimes you can get away with using the 'rebase' button but sometimes you cannot.

What I do: I use 'git rebase -i HEAD~2' and use 'edit' to change the commit that needs to be changed, rebase goes ahead and auto-rebases everything above it (pausing if needed for me to fix things), then I can 'git review' and it will update all the patchsets that need to be changed.

This approach works for any sized stack, but using it on a two-stack is the simplest example that works.

The git log before we start:

commit e394aba4321f6d30131793e69a4f14b011ce5560
Author: Spencer Krum <>
Date:   Wed May 6 15:43:27 2015 -0700

    Move afs servers to using o_p::template
    This is part of a multi-stage process to merge o_p::server and
    Change-Id: I3bd3242a26fe701741a7784ae4e10e4183be17cf

commit 3e592608b4d369576b88793377151b7bfaacd872
Author: Spencer Krum <>
Date:   Wed May 6 15:38:23 2015 -0700

    Add the ability for template to manage exim
    Managing exim is the one thing sever can do that template cannot.
    This is part of a multi stage process for merging server and template.
    Change-Id: I354da6b5d489669b6a2fb4ae4a4a64c2d363b758

Note that we have two commits and they depend on each other. The bug is in 3e592608b4d369576b88793377151b7bfaacd872. We start the interactive rebase below, first with a vim session then with output on the command line. The vim session:

$ git rebase -i HEAD~2

  1 e 3e59260 Add the ability for template to manage exim
  2 pick e394aba Move afs servers to using o_p::template
  4 # Rebase af02d02..e394aba onto af02d02
  5 #
  6 # Commands:
  7 #  p, pick = use commit
  8 #  r, reword = use commit, but edit the commit message
  9 #  e, edit = use commit, but stop for amending
 10 #  s, squash = use commit, but meld into previous commit
 11 #  f, fixup = like "squash", but discard this commit's log message
 12 #  x, exec = run command (the rest of the line) using shell
 13 #
 14 # These lines can be re-ordered; they are executed from top to bottom.
 15 #
 16 # If you remove a line here THAT COMMIT WILL BE LOST.
 17 #
 18 # However, if you remove everything, the rebase will be aborted.
 19 #
 20 # Note that empty commits are commented out

Note that the 'top' commit in the rebase view is the 'bottom' commit in the git log view, because git is stupid. We change the 'pick' to 'e' for 'edit' meaning stop at that point for ammending. And the shell output:

Stopped at 3e592608b4d369576b88793377151b7bfaacd872... Add the ability for template to manage exim

You can amend the commit now, with

  git commit --amend

Once you are satisfied with your changes, run

  git rebase --continue

 (master|REBASE-i 1/2)$: git st
rebase in progress; onto af02d02
You are currently editing a commit while rebasing branch 'master' on 'af02d02'.

  (use "git commit --amend" to amend the current commit)
  (use "git rebase --continue" once you are satisfied with your changes)

nothing to commit, working directory clean

Then we make changes to modules/openstack_project/manifests/template.pp (not shown) and continue the rebase:

 (master *|REBASE-i 1/2)$: git st
rebase in progress; onto af02d02

You are currently editing a commit while rebasing branch 'master' on 'af02d02'.

  (use "git commit --amend" to amend the current commit)
  (use "git rebase --continue" once you are satisfied with your changes)
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)
  modified:   modules/openstack_project/manifests/template.pp
no changes added to commit (use "git add" and/or "git commit -a")
 (master *|REBASE-i 1/2)$: git add modules/openstack_project/manifests/template.pp
 (master +|REBASE-i 1/2)$: git rebase --continue
[detached HEAD 6ca26e9] Add the ability for template to manage exim
 1 file changed, 7 insertions(+)
Successfully rebased and updated refs/heads/master.

Then we publish our changes with git-review:
(master u+2)$: git review

You are about to submit multiple commits. This is expected if you are
submitting a commit that is dependent on one or more in-review
commits. Otherwise you should consider squashing your changes into one
commit before submitting.

The outstanding commits are:

2bc78a8 (HEAD, master) Move afs servers to using o_p::template
6ca26e9 Add the ability for template to manage exim

Do you really want to submit the above commits?
Type 'yes' to confirm, other to cancel: yes

remote: Resolving deltas: 100% (4/4)
remote: Processing changes: updated: 2, refs: 2, done    
To ssh://
 * [new branch]      HEAD -> refs/publish/master

With that we have changed a commit deep in the stack, rebased any commits above it, and published our changes to the gerrit server.

Overview of Puppet in OpenStack Infra

Last week I gave this presentation at the PDX Puppet Users group. It is an overview of how we use Puppet in the OpenStack Infra project. There is no video or audio recording.


Friday, March 6, 2015

Checking out Servo

Servo is an experimental web browser from Mozilla. It was the impetus and driver for early development of the Rust language. I'm excited to ditch firefox because of its performance issues and I don't want to run google anything these days. Blogging on blogger, I know.

I got it built from the instructions on the github, here are some screencaps of what it can do.

Sunday, February 15, 2015

EFI boot on HP EliteBook 840

After entirely too long with my HP EliteBook 840, I have made it boot successful without human interaction. After installing ubuntu my typical power-on process looked like this:

  •  Power button
  •  Computer tries and fails to boot, dumping to diagnostics
  •  Power button
  •  Interupt boot process at the right time with f-9
  •  Select 'boot from efi file'
  •  Select a disk
  •  Drill into the filesystem and select 'shimx64.efi'
This was super annoying. I finally got fed up and went exploring settings. There is a section in settings for setting a custom efi path. The interface is a bit derpy, but its eventually possible to get to a text input box.

I put in my text box:  

At this point, I saved and rebooted. The machine was able to come up into ubuntu with no human intervention. My next work is to enable the 'Custom Logo at boot' component.

Wednesday, February 11, 2015

Rocket: First steps

Rocket is a container runtime for CoreOS. In this post we will do some basic tasks with Rocket: installing it, creating an ACI, publishing that ACI to OpenStack Swift, and pulling it down.

tar xzvf rocket-v0.3.1.tar.gz
cd rocket-v0.3.1
./rkt help
I moved 'rkt' and 'stage1.aci' to ~/bin for ease of use.

We also need actool:

derp@myrkt:~$ git clone
Cloning into 'spec'...
remote: Counting objects: 1604, done.
remote: Compressing objects: 100% (20/20), done.
Receiving objects: 100% (1604/1604), 614.19 KiB | 0 bytes/s, done.
remote: Total 1604 (delta 7), reused 1 (delta 0)
Resolving deltas: 100% (924/924), done.
Checking connectivity... done.
derp@myrkt:~$ cd spec/
derp@myrkt:~/spec$ ls
ace  aci  actool  build  DCO  discovery  examples  Godeps  LICENSE  pkg  schema  test  VERSION
derp@myrkt:~/spec$ ./build 
Building actool...
go linux/amd64 not bootstrapped, not building ACE validator
derp@myrkt:~/spec$ ls bin/actool 
derp@myrkt:~/spec$ ./bin/actool -h
Usage of actool:
  -debug=false: Print verbose (debug) output
  -help=false: Print usage information and exit 
Now we need a simple go application:
package main

import (

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        log.Printf("OHAIDER: request from %v\n", r.RemoteAddr)
    log.Fatal(http.ListenAndServe(":5000", nil))
And a manifest.json file:
    "acKind": "ImageManifest",
    "acVersion": "0.2.0",
    "name": "nializer/daemon",
    "labels": [
            "name": "version",
            "value": "1.0.0"
            "name": "arch",
            "value": "amd64"
            "name": "os",
            "value": "linux"
    "app": {
        "user": "root",
        "group": "root",
        "exec": [
        "ports": [
            "name": "www",
            "protocol": "tcp",
            "port": 5000
    "annotations": [
        "name": "authors",
        "value": "Kelsey Hightower , Spencer Krum "
            "name": "created",
            "value": "2014-10-27T19:32:27.67021798Z"
And a file structure:
root@myrkt:~/app# find daemon-layout/
Then we can build(and verify) this image:
root@myrkt:~/app# find daemon-layout/
root@myrkt:~/app# actool build daemon-layout/ daemon-static.aci
root@myrkt:~/app# actool --debug validate daemon-static.aci 
daemon-static.aci: valid app container image 
Then we can run the image (this doesn't work):
root@myrkt:~/app# rkt run daemon-static.aci
/etc/localtime is not a symlink, not updating container timezone.
Error: Unable to open "/lib64/": No such file or directory
Sending SIGTERM to remaining processes...
Sending SIGKILL to remaining processes...
Unmounting file systems.
Unmounting /proc/sys/kernel/random/boot_id.
All filesystems unmounted.
Halting system. 
The issue is that our go binary is not statically compiled:
root@myrkt:~/app# ldd daemon =>  (0x00007fff2d2cd000) => /usr/lib/x86_64-linux-gnu/ (0x00007ff809e45000) => /lib/x86_64-linux-gnu/ (0x00007ff809c2f000) => /lib/x86_64-linux-gnu/ (0x00007ff809868000)
        /lib64/ (0x00007ff80aca3000) => /lib/x86_64-linux-gnu/ (0x00007ff80964a000) => /lib/x86_64-linux-gnu/ (0x00007ff809344000) 
But this is okay because we can just add these files (plus a few more) to our ACI:
root@myrkt:~/app# find daemon-layout/
Now we can re-build, verify, run:
root@myrkt:~/app# actool build --overwrite  daemon-layout/ daemon.aci                                                                                          
root@myrkt:~/app# actool --debug validate daemon.aci                                                                                                           
daemon.aci: valid app container image
root@myrkt:~/app# du -sh daemon.aci
5.6M    daemon.aci
root@myrkt:~/app# rkt run daemon.aci
/etc/localtime is not a symlink, not updating container timezone.
2015/02/11 13:32:58 OHAIDER: request from

This means everything is working. You can exit by pressing ^] three times.

We can then post the daemon file to swift, using the tempurl system from a previous post. Then using a tiny url service, we can run the aci from the network:

root@myrkt:~/app# rkt fetch
rkt: fetching image from
Downloading aci: [============================================ ] 5.81 MB/5.84 MB
Downloading signature from
root@myrkt:~/app# rkt run nibz_daemon
rkt only supports http or https URLs (nibz_daemon)
root@myrkt:~/app# rkt run
rkt: fetching image from
Downloading aci: [=====================================        ] 4.89 MB/5.84 MB
Downloading signature from
Okay, so that didn't work. Maybe later on I will figure that part out. I am particularly excited to use the swfit meta tags to add the security meta tags used by rocket for collecting signatures.

Rocket: Containers without Docker

Rocket is a container runtime from CoreOS. It is a response to Docker's feature creep. Simultaneously with Rocket, the CoreOS team released the App Container Spec, a specification of the image format consumed by a container runtime. Multiple container runtimes could then be written and could all consume the same images. In this post I will talk about my experience with it and what I like and don't like so far. Note that I don't have a ton of experience with this tool at this point.

There are a couple of things inside the app container spec/rocket ecosystem that are just fantastic(actually I'm pumped about basically the whole thing):

Security is a first class concern

Rocket uses gpg to verify the authenticity of App Container Images(aci). It does this by allowing the administrator to trust keys, then containers signed by those keys are trusted. Rocket maintains its own keyring with trust levels. This borrows from the techniques used to secure Linux packaging. Rocket/ACI also use sha512sums to uniquely identify ACIs.

Built on core unix utilities

The main operations (actually all operations) involved in creating, signing, verifying, and sharing ACI's are composed out of the standard unix utilites: tar, gpg, gzip. Any helper utilities just serialize these functions. actool is one such utility. This keeps ACI's simple, doesn't tie anyone to custom tooling, increases debugability and hackability. Particularly in the signing and verification components, this means no one has to trust CoreOS or anyone else.

Emphasis on pushing exactly what you want into the container

With ACI, you copy the files you want into the container and stop there. This encourages small images, and encourages administrators to know exactly what is going in their images.

Networking just works

No crazy -p port:port:ipaddress nonsense, you specify the listen port in the configuration file, boom done. Listens on all interfaces.

Configuration file makes sense, extendable

When you build an ACI, you bake a manifest.json into it. This is a configuration file with a combination of runtime settings and overall metadata. I am already comparing and contrasting with Puppet's metadata.json. Both of these files contain basic metadata such as authorship information. And both are young formats with tooling and use still growing up. JSON's schemalessness allows users and devs to rapidly prototype and try out new information and structures in these files.


Http is used as the primary transport. ACI's are simple files. These ACI's can be pushed into webservers or s3 and pulled out with wget or the rocket utility itself.
This is a massive improvement over the current docker-hub situation. Rocket has some rudimentary support for inferring github http locations from names such as ''

Sunday, February 8, 2015

OpenStack Swift on HP Cloud

OpenStack Swift is the Object Storage component of OpenStack. It is roughly analogous to Amazon S3. HP Cloud (full disclaimer: I work at hp and get cloud resources for free) has an Object Storage component. This post will be about getting basic functionality out of it.

A very long document on HP's object storage can be found here. Reading as much of it as I have has permanently damaged my soul, so I am posting here to share my story, hopefully you won't have to spend so much time kicking it.

Usually when doing things on HP Cloud's OpenStack services I just poke around the command line utility's until I am happy. Let's look at basic tooling with the python-swiftclient tool:

Check deps:

$: pip install -U python-swiftclient
Requirement already up-to-date: python-swiftclient in /disk/blob/nibz/corepip/lib/python2.7/site-packages
Requirement already up-to-date: six>=1.5.2 in /disk/blob/nibz/corepip/lib/python2.7/site-packages (from python-swiftclient)
Requirement already up-to-date: futures>=2.1.3 in /disk/blob/nibz/corepip/lib/python2.7/site-packages (from python-swiftclient)
Requirement already up-to-date: requests>=1.1 in /disk/blob/nibz/corepip/lib/python2.7/site-packages (from python-swiftclient)
Requirement already up-to-date: simplejson>=2.0.9 in /disk/blob/nibz/corepip/lib/python2.7/site-packages (from python-swiftclient)  

Check creds:

$: [ -z $OS_PASSWORD ] && echo set password
$: [ -z $OS_TENANT_NAME ] && echo set tenant name
$: echo $OS_AUTH_URL

With that set, we can use the swift command line client to upload, list, download, and delete files. All swift objects are put in containers, the equivalent of s3 buckets.

$: swift list craigslist
$: swift upload craigslist r61e.jpg
$: swift download craigslist x200t.jpg
Object 'craigslist/x200t.jpg' not found
$: swift list craigslist
$: time swift list craigslist

real    0m1.913s
user    0m0.283s
sys    0m0.051s
$: swift download craigslist x220t.jpg
x220t.jpg [auth 6.971s, headers 13.029s, total 13.314s, 0.002 MB/s]
$: swift delete craigslist r61e.jpg
$: time swift list craigslist

real    0m2.330s
user    0m0.299s
sys    0m0.059s

As you can see from the timing information, some of the operations are fast and some are slow. Swift download provides it's own timing information, which is nice. All upload/download operations above are authenticated through keystone. To provide a 'fake cdn' service like amazon s3, swift uses tempurls. This is how tempurls are typically used:

$: swift tempurl GET 3600 /v1/10724706841504/craigslist/x220t.jpg
Usage: swift tempurl <method> <seconds> <path> <key>
Generates a temporary URL for a Swift object.

Positions arguments:
  [method]              An HTTP method to allow for this temporary URL.
                        Usually 'GET' or 'PUT'.
  [seconds]             The amount of time in seconds the temporary URL will
                        be valid for.
  [path]                The full path to the Swift object. Example:
  [key]                 The secret temporary URL key set on the Swift cluster.
                        To set a key, run 'swift post -m
$: swift tempurl GET 3600 /v1/10724706841504/craigslist/x220t.jpg supersecret

Then, given this information you prepend the root url of the swift service and curl at it (don't forget single quotes!):

$: swift tempurl GET 3600 /v1/10724706841504/craigslist/x220t.jpg supersecret
$: keystone catalog | grep -i object
Service: object-store
|  publicURL  | |
| versionInfo |        |
| versionList |          |
$: curl ''
401 Unauthorized: Temp URL invalid

After poking this for some time I found this tibit buried in the HP Cloud docs on swift, er excuse me, Object Storage: Differences Between Object Storage and OpenStack Swift TempURL Signature Generation
There are two differences between Object Storage and OpenStack Swift TempURL signature generation:
  • OpenStack Swift Temporary URLs (TempURL) required the X-Account-Meta-Temp-URL-Key header be set on the Swift account. In Object Storage you do not need to do this. Instead we use Access Keys to provide similar functionality.
  • Object Storage Temporary URLs require the user's Project ID and Access Key ID to be prepended to the signature. OpenStack Swift does not.

So this basically means you can't use the python-swiftclient tool with hpcloud object storage. At least nearby they provide a code snipit. I've created my own script.

$: python GET 3600 /v1/10724706841504/craigslist/x220t.jpg $OS_ACCESS_KEY_SECRET 

This depends on setting OS_ACCESS_KEY_ID and OS_ACCESS_KEY_SECRET in your environment. These are nonstandard environment variables. Once this is set, anyone will be able to prepend the object storage root url to the front of the url output by and make their own janky-cdn.

The script to perform the hpcloud fakery can be found here.