Home

Awesome

Puppet Git Receiver

puppet-git-receiver is a script that handles validating and applying puppet manifests that are pushed to a git repository.

When installed as a git update hook, it validates any file with the suffix .pp. If no validation errors are detected, then it runs puppet apply using the manifest manifests/site.pp.

It uses the path modules/ in your repository as the puppet modules path.

By default it considers the master branch and ignores all others (See below to change the target branch). If the validation or the apply return any errors, the update is rejected (i.e: the master head is not updated).

git push srv-30qvg.gb1.brightbox.com

Counting objects: 7, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (4/4), 346 bytes, done.
Total 4 (delta 0), reused 0 (delta 0)
remote: *** Validating puppet manifests for refs/heads/master
remote: *** Applying puppet manifests
remote: notice: /Stage[main]//Package[cowsay]/ensure: ensure changed 'purged' to 'present'
remote: notice: Finished catalog run in 3.18 seconds
remote: *** Puppet manifests applied successfully
To puppet-git@ipv6.srv-30qvg.gb1.brightbox.com:puppet.git
   3ffd7b7..49072b1  master -> master

Deployment

Ubuntu deployment

The source includes recipes to build Ubuntu packages which creates a user named puppet-git, with a pre-configured git repository named puppet.git in its home directory (and appropriate sudo privileges).

Pre-built packages for Ubuntu are available in the Brightbox launchpad ppa.

sudo apt-add-repository ppa:brightbox/puppet
sudo apt-get update
sudo apt-get install puppet-git-receiver

Then set a password for the puppet-git user, or add your ssh keys to its home directory /var/lib/puppet-git-receiver.

Then you can just add the git repository as a git remote and push to get your manifests applied.

git remote add myserver puppet-git@myserver.example.com:puppet.git
git remote push myserver master

Alternatively, you can just use any user in the admin group with full sudo privileges to access the repo too:

git remote add myserver ubuntu@myserver.example.com:/var/lib/puppet-git-receiver/puppet.git
git remote push myserver master

And for (slight) convenience, there is a symlink to the repository at /var/lib/puppet-git-receiver.git:

git remote add myserver ubuntu@myserver.example.com:/var/lib/puppet-git-receiver.git
git remote push myserver master

Ubuntu cloud-init deployment

If you're using an Ubuntu image with the cloud-init package installed on a cloud platform that supports EC2-style user data (like Amazon EC2 obviously, or Brightbox Cloud, you can script the installation on boot like this:

#cloud-config
apt_sources:
 - source: "ppa:brightbox/puppet"
packages:
 - puppet-git-receiver
runcmd:
- cp -ar /home/ubuntu/.ssh /var/lib/puppet-git-receiver/
- chown -R puppet-git.puppet-git /var/lib/puppet-git-receiver/.ssh

A version of this script is maintained as a Github gist at https://gist.github.com/3129203 for convenience. You can use it with a cloud-init #include statement, like this:

$ brightbox-servers create --user-data="#include https://raw.github.com/gist/3129203/puppet-git-receiver-install" img-9h5cv

Creating a nano server with image Ubuntu Precise 12.04 LTS server (img-9h5cv) with 0.10k of user data

 id         status    type  zone   created_on  image_id   cloud_ip_ids  name
-----------------------------------------------------------------------------
 srv-3te8u  creating  nano  gb1-a  2012-07-17  img-9h5cv
-----------------------------------------------------------------------------

When this boots, you can immediately push puppet manifests to it and have them applied. Easy peasy!

Manual deployment

If you'd prefer not to use the Ubuntu package, just install the script in your git repository named .git/hooks/update. Ensure the user the script will run as has permission to run puppet using sudo with environment variables. Something like this in sudoers should do the trick:

puppet-git	ALL=NOPASSWD: SETENV:/usr/bin/puppet

You obviously need git and puppet installed, but also bash, sudo, find, tar and xargs.

Configuration

You can disable the full validation step by setting the git config boolean option puppet-receiver.skip-validation to true on the remote repository:

git config --bool --add puppet-receiver.skip-validation true

You can set extra arguments passed to puppet apply by setting the git config option puppet-receiver.args on the remote repository:

git config --add puppet-receiver.args "--noop --debug"

You can change the default branch that puppet-git-receiver uses by creating the file /etc/puppet-git-receiver.conf and setting the BRANCH variable

BRANCH=new-version

Puppet forge integration

puppet-git-receiver can download and install modules hosted on Puppet Forge prior to applying your manifests.

Create a file in the root of your repository named .puppetforge-modules and list each module you want installed, one per line. You can optionally specify the exact module version you want installed, putting the version number after the module name separated by a space, otherwise the latest version is installed. Lines starting with a # character and empty lines are ignored. Example:

brightbox/apt
brightbox/apache 1.0.0
brightbox/nagios

The modules are installed on the server into a directory created in the root named puppetforge-modules which is added to the puppet modulespath. Your repository's own modules/ directory takes precedence.

Puppet version 2.7.12 is required for installing forge modules.

Librarian-puppet integration

puppet-git-receiver can alternatively download and install modules using librarian-puppet. If a Puppetfile is found in your repository and librarian-puppet is installed the modules will be fetched before applying your manifests.

Options to librarian-puppet can be supplied by setting the puppet-receiver.librarian-puppet-args git config option on the remote repository:

git config --add puppet-receiver.librarian-puppet-args "--verbose"

Yaml-based node classification

You can classify nodes using yaml files placed in the manifests/ directory.

manifests/site.yml is the default for all nodes, but you can create files in manifests/nodes/ with the fqdn of the node you want to classify and that will be used instead (e.g: manifests/nodes/srv-abcde.gb1.brightbox.com.yml).

The file needs to be formatted as per the puppet external node classification output format.

For example:

classes:
  "apt":
  "apache":
  "apache::php":
  "apache::passenger":
    instances_per_app: 8
  "rsyslog":
    remote_servers:
      - "10.0.0.1"
      - "10.0.0.2"

Code

The code is licensed under the terms of the GPLv3 and is available on Github at https://github.com/brightbox/puppet-git-receiver

(c) Copyright 2012 John Leach john@brightbox.co.uk