What is Puppet?
Puppet is a configuration management tool designed to provide server administrators a mechanism for managing large groups of servers via modules hosted on a Puppet Master. In simple terms this means that any servers running as a Puppet Client will always conform with the rules set to it by the Puppet Master.
What are Reconnix Doing With Puppet?
Over the past few months Reconnix technicians have been honing their Puppet skills and as part of this have come up with a base set of Puppet modules & manifests which can be applied to any servers configured with a Puppet Client. In conjunction with Puppet we are using SaltStack gather additional information on both the servers current software and hardware configuration.
As phase one of this project, Reconnix have rolled this out to approximately 30 servers which span a wide variety of setups to test for maximum compatibility. By the end of June, we plan to have this solution applied to all servers in the Reconnix estate.
This will allow Reconnix technicians to easily administer and adhere to our ISO processes and procedures in a consistent and auditable manner. A good example of this would be the well-documented vulnerability found in the OpenSSL package, Heartbleed. While Reconnix managed to patch all affected servers within the first 24 hours of the fix being released, had we been using Puppet we would reached the same goal in less than an hour! Not bad for a 400+ server estate.
As well as allowing us to query the current status of software across all servers, by customising modules from the Puppet community, we are now able to manage sudo access and authorised SSH keys via our Puppet Master. This is a great time saver as any new starters simply need to have their username, required access level and SSH key added to our Puppet configuration and wait for the Puppet agent to call home and update the client servers.
What if there’s a problem?
When introducing any new technologies a full risk assessment always needs to be undertaken, as part of this we’ve come up with a number of “gotchas” that we’ve had to take into account when making the decision to use Puppet.
What happens if a human error is made within the Puppet configuration?
Firstly Reconnix have a test platform on which any changes to the Puppet configuration will be fully tested beforehand, this includes a spread of different servers and software set-ups.
As Reconnix as a whole follows ISO 20000, a procedure has been written to make sure that any changes to the Puppet configuration goes through a change management process which needs to be signed off by two Systems Administrators as well as the Operations Manager. This will include a full line-by-line code review.
What happens if there is a problem with the Reconnix Puppet Master?
Reconnix believe in true high-availability wherever possible, so for a job as important as our Puppet Master we have got a HA pair of servers running across 2 separate Data Centres. Should either of our Puppet Masters fail for any reason it would take us less than 10 minutes to failover to our secondary Puppet Master.
What about the overhead on my server?
Both Puppet & SaltStack are really memory-friendly processes, so unless you’re running right on the edge of your server resources you won’t even notice them running. To give you an example, one of the servers we’ve trialled Puppet on is using 44MB of RAM running Puppet & 26MB of RAM running SaltStack.
Sounds good! But what can I do with Puppet and/or SaltStack?
Anything you want, nearly! If you can do it on the command line of your server then there’s no reason that you’d not be able to configure Puppet to do that. What you need to remember is that it’s only worth doing with Puppet or SaltStack if it is a repeatable exercise and it needs to be done across multiple servers.
If you would like more information on what Puppet can do for you, or how you can introduce it into your server estate call one of our team on 0845 4210 444.