2012-09-03

Automate manifest distribution to masterless puppet clients from an S3 bucket

At Ooyala, I managed our Macintosh fleet with puppet. The problem we ran into is that we have users in remote locations rarely need to connect to the VPN, and when their machines aren't on the VPN or corp network, they can't connect to the puppetmaster and don't receive any updates. This made me switch to masterless puppet for our Macs so that they could pull their manifests (and other files) from S3, so the remote users could get updates when they weren't working from one of our offices and weren't on the corporate network or VPN.

When I was looking for examples of how to implement masterless, I didn't find tools for automating distribution of manifests to the nodes, so I wrote Miyamoto.  I got Ooyala to allow me to open-source it before I left, and the source is at https://github.com/unixorn/miyamoto

Miyamoto automates creating debs or OSX pkgs that contain all your manifest files and then publishing them to an S3 bucket so your client nodes can download and install them.

Here are a few caveats:
  • You lose the benefits of running a puppetmaster. No reporting, no dashboard, etc. While Miyamoto does write a json status file into the status subdirectory of your S3 bucket, you'll have to write something to scrape those files and convert them into something useful.
  • I ripped out all the company-specific stuff in a two day period between documenting things for my replacement and doing some other last minute tasks. I'm pretty sure everything still works, but if you run into issues, let me know and I'll try to help.
  • Currently Miyamoto only works with OS X and Debian based linux distributions. Redhat support should be trivial, but I didn't have time to work on that since Ooyala is an Ubuntu shop.
  • Miyamoto assumes you're using a single git repository for your manifests, and that there are specific branch names you're consistently using for stable & testing. If you're not a git user or are using multiple repos, or don't use the same branch names when you release a new stable environment, you'll need to tweak the Rakefiles.
  • Miyamoto also assumes you're willing to have a single set of AWS credentials that your nodes will use to download new manifests from a read only tree and write their statuses back to a specific directory in S3.

Creative Commons License

This work is licensed under a Creative Commons License.
Copyright 2007-2010, Joseph P. Block, Some Rights Reserved.

Creative Commons Logo