50 likes | 165 Views
Puppet in ATLAS DDM & Tier-0. Luis Rodrigues for CERN PH-ADP-CO ph-adp-ddm-lab@cern.ch. CERN Puppet User Group Meeting, 2012-10-24. About. Manage the installation and configuration of ATLAS DDM Software ATLAS Tier-0 Software Supporting software
E N D
Puppet in ATLAS DDM & Tier-0 Luis Rodrigues for CERN PH-ADP-CO ph-adp-ddm-lab@cern.ch CERN Puppet User Group Meeting, 2012-10-24
About • Manage the installation and configuration of • ATLAS DDM Software • ATLAS Tier-0 Software • Supporting software • iptables, awstats, nagios, Hadoop, etc… • Team personal setups • development machines, analysis nodes, etc… • ~90 nodes managed by a single Puppet Master (2-core VM, 2GB) • Configuration backed up with git to AFS • All actions logged to Puppet Dashboard • Access controlled via single elevated UNIX user with shared password within the team • If you break the configuration, it will show in the git log, and you will be punished by wearing a donkey hat
Usage • 23 modules • Modules separated by software/task, not by node • Software/task mapping to node in manifests/nodes.pp • Password configuration via executable and ERBs • ERB • http://<%= pip_user %>:<%= pip_pwd %>@atlas-pip.cern.ch/simple • Manifest • $pip_user = generate('/etc/puppet/config/private/get_pwds', 'pip_user') • $pip_pwd = generate('/etc/puppet/config/private/get_pwds', 'pip_pwd') • “Race condition” with Quattor “solved” through minimalistic Quattor templates • Gradually migrated most of our Quattorconfigs to Puppet • All nodes run with Quattor user-software option enabled • Specific functionality for Python pip/virtualenv added
Caveats • When we started, we had conflicts with the Ruby version on SLC5 and some Puppet dependencies • No obvious solution, and it was still problematic with SLC6 • Rolled our own Ruby/Agent/Master/Dashboard RPMs • Good: It works everywhere • Bad: Compile puppet on the node in the postinstall.sh • Ugly: Manual rm –rf /var/puppet/ssl/*; rpm --force -Uvh puppet-agent.rpm on node re-install due to certificate mismatch with the Puppet server • Has been working like that since almost 1.5 years • Reluctance to update postinstall.sh to use newer Puppet version, still stuck on Puppet-1.6.7 • (could solve the pip/virtualenvcustomisation)
Wishlist • A centrally supported Puppet instance, so we don’t have to run our own • Features that we would need: • Insert/Update/Delete modules • maybe via git? • Map modules to nodes • one node will likely have many modules • Allow file transfer from modules to node • e.g., dependent configuration templates • A way to query an ‘ATLAS secret service’ for password information to be inserted into templates • Or a secure central service • Monitor node change • Puppet Dashboard? • Support Python pip/virtualenv • Puppet kick