PostgreSQL administration using Puppet. Miguel Di Ciurcio Filho

PostgreSQL administration using Puppet Miguel Di Ciurcio Filho miguel@instruct.com.br http://localhost:9090/onepage 1/25

What is Puppet? Puppet Architecture Managing PostgreSQL Installation Databases Roles and Grants Configuration Agenda http://localhost:9090/onepage 2/25

What is Puppet? Automation platform that defines and enforces the state of your infrastructure. Open Source since 2005 Used by projects and organizations like Debian, Wikipedia, Google, Mozilla, PayPal, GitHub, LHC and many others Frees SysAdmins from writing one off, fragile scripts and other manual tasks. Ensures consistency across your infrastructure. Puppet uses a declarative language for modeling your configuration, meaning you tell Puppet what results you want, rather than how to get there. http://localhost:9090/onepage 3/25

Declarative Modeling Language Model the desired state, Puppet figure out how to enforce it. Imperative Shell Code Comparison if [ 0 -ne $(getent passwd elmo > /dev/null)$? ] then useradd elmo --gid sysadmin -n fi Declarative Puppet C user { 'elmo': ensure => presen gid => 'sysadm } GID=`getent passwd elmo awk -F: '{print $4}'` GROUP=`getent group $GID awk -F: '{print $1}'` if [ "$GROUP"!= "$GID" ] && [ "$GROUP"!= "sysadmin" ] then usermod --gid $GROUP $USER fi if [ "`getent group sysadmin awk -F: '{print $1}'`" == "" ] then groupadd sysadmin fi group { 'sysadmin': ensure => presen } http://localhost:9090/onepage 4/25

How Puppet Works http://localhost:9090/onepage 5/25

Data Flow How Puppet manages data flow from Individual Nodes http://localhost:9090/onepage 6/25

Puppet enforces resources in an idempotent way. Idempotency It is our job as developers to teach Puppet how to do this for resource types we develop so that our users don't have to. # First Puppet Run notice: /Group[sysadmin]/ensure: created notice: /User[elmo]/ensure: created notice: Finished catalog run in 0.08 seconds # Second Puppet Run notice: Finished catalog run in 0.03 seconds Idempotence: The property of certain operations in mathematics or computer science in that they can be applied multiple times without further changing the result beyond the initial application. Notes: Idempotent able to be applied multiple times with the same outcome. Puppet resources are idempotent, since they describe a desired final state rather than a series of steps to follow. Source: Puppet Docs http://docs.puppetlabs.com/references/glossary.html#idempotent http://localhost:9090/onepage 7/25

Describe the desired state. Let Puppet maintain it. State Model http://localhost:9090/onepage 8/25

Puppet Resources Resources are building blocks. They can be combined to make larger components. Together they can model the expected state of your system. http://localhost:9090/onepage 9/25

Puppet Demo http://localhost:9090/onepage 10/25

Demo summary Modules: directories that contain your configuration. Encapsulates all of the components related to a given configuration in a single directory hierarchy that enables the following: Auto loading of classes File serving for templates and files Easy sharing with others Facts: key/value pairs generated by facterabout a given node. Classes: collection of resources that are managed together as a single unit. http://localhost:9090/onepage 11/25

Why use Puppet to manage a relational database? Avoid clumsy scripts. Guarantee consistency of configuration over time. Better visibility of current state. Easy integration with any source control management tool. http://localhost:9090/onepage 12/25

The puppetlabs/postgresql module Manages packages and services on several operating systems (server and client). Red Hat, Ubuntu, Debian, Scientific, CentOS, OracleLinux, SUSE Enterprise (!). Supports basic management of databases, users and permissions. Manages the firewall on some distros. https://forge.puppetlabs.com/puppetlabs/postgresql https://github.com/puppetlabs/puppet postgresql http://localhost:9090/onepage 13/25

puppetlabs/postgresql classes and resources postgresql::server postgresql::server::db postgresql::server::pg_hba_rule postgresql::server::role postgresql::server::database_grant postgresql::server::table_grant postgresql::server::config_entry http://localhost:9090/onepage 14/25

The class postgresql::server class { 'postgresql::server': manage_firewall => true, postgres_password => 'TPSrep0rt!', } Manages the installation and configuration of the server. Supports various parameters. Installs packages and enforces a restrictive configuration by default. Runs initdbif necessary. http://localhost:9090/onepage 15/25

The resource postgresql::server::db postgresql::server::db {'test1': user => 'test1', password => postgresql_password('test1', 'changeme!'), } Convenient resource to create databases. Creates an user and assign the necessary permissions in one go. http://localhost:9090/onepage 16/25

The resource postgresql::server::pg_hba_rule postgresql::server::pg_hba_rule { 'allowapptoaccessdatabase': type => 'host', database => 'app', user => 'app', address => '200.1.2.0/24', auth_method => 'md5', } Allows you to create an access rule for pg_hba.conf. http://localhost:9090/onepage 17/25

The resource postgresql::server::role postgresql::server::role { 'dba': superuser => true, password_hash => postgresql_password('dba', 'dba'), } Creates roles in PostgreSQL. Suports various parameters like: createdb, createrole, replicationand others. http://localhost:9090/onepage 18/25

The resource postgresql::server:: database_grant postgresql::server::database_grant { 'marmot_elvis': privilege => 'ALL', db => 'db01', role => 'elvis', } Manages grant based access privileges for databases. http://localhost:9090/onepage 19/25

The resource postgresql::server::table_grant postgresql::server::table_grant { 'table1ofdb01': privilege => 'ALL', table => 'table1', db => 'db01', role => 'elvis', } Manages grant based access privileges for tables. http://localhost:9090/onepage 20/25

The resource postgresql::server::config_entry postgresql::server::config_entry { 'check_function_bodies': value => 'off', } postgresql::server::config_entry { 'work_mem': value => '10MB', } Can be used to modify the postgresql.confconfiguration file. http://localhost:9090/onepage 21/25

Puppet + PostgreSQL Demo http://localhost:9090/onepage 22/25

About Puppet Labs Developer of IT automation software for system administrators 3,000+ Community members 50,000+ Nodes managed in the largest deployments Support for Red Hat, CentOS, Ubuntu, Debian, SUSE, Solaris, AIX, Mac OS X, Windows, etc. http://localhost:9090/onepage 23/25

Infraestructure administration and operation. Authorized Puppet Labs Partner since 2012 Puppet Open Source and Enterprise consulting. Offers all official training courses in Brazil: Puppet Fundamentals Puppet Practitioner Puppet Architect About Instruct http://localhost:9090/onepage 24/25

Next Steps & Questions Brazillian Community: http://puppet br.org Instruct: http://instruct.com.br Puppet training in Brazil http://instruct.com.br/calendario.html Learn more! Download Puppet Enterprise manage 10 nodes for free http://puppetlabs.com/download puppet enterprise Learning Puppet Tutorials http://docs.puppetlabs.com/learning/ Download the Learning Puppet VM http://info.puppetlabs.com/download learning puppet VM.html Puppet Docs http://docs.puppetlabs.com/ http://localhost:9090/onepage 25/25