Whopper Tacos

Logstash Debuntu Packaging and Deployment

2012-04-16T14:51:00-04:00

Logstash is a really nifty log shipping, indexing, and searching suite. The typical centralized setup involves running a shipper agent on all your nodes, which are configured to ship certain log messages to a message broker. An indexing agent consumes the log messages from the broker, and writes them to elasticsearch. Logstash comes with a light web interface for searching this data.

Unfortunately, I couldn’t find any current packaging for logstash. However, the writer of Logstash (Jordan Sissel, aka whack) writes another utility called FPM (F’n Package Management) which allows you to easily create OS packages from a directory structure. So I forked the elasticsearch init script which is included with elasticsearch’s deb package, making one init script for each of the three moving parts in Logstash.

I put the default configs and /etc/default/logstash-{web,shipper,indexer} in a directory, and a couple of pre and post install scripts. Then, I downloaded the latest stable logstash all in one jar. I named this jar logstash.jar and put it in logstash_packaging/usr/share/logstash/.

I then used fpm to build a package like so:

fpm -n logstash -v 1.1.0.1yoursite1 -d grok -d default-jre -a all -C logstash_packaging/ -m "The Systems Group systems@yoursite.com" -t deb -s dir --pre-install ./logstash.preinstall --post-install ./logstash.postinstall --description "Logstash Open Source Log Management" --url 'http://www.logstash.net/'

Remember if you need to re-package, only bump the number after your sitename.

You can find the packaging files here: GitHub.

Now onto the actual deployment. As usual, I use Puppet for this. Basically I have a parameterized class that you feed a ‘role’ to. This is an array of which logstash agents you’ll be running. Depending on this role, certain services are enabled and started up, and their configs served out.

That code can be found here: GitHub.

A couple of small caveats. I put in an elasticsearch parameter, which should work. Just be wary that if you use an external elasticsearch server, you must use the version your logstash jar is compiled against. This is because the REST API was not fast enough, so Jordan had to use the Java messaging.

Also, be wary that elasticsearch discovery is done using multicast. So if you are firewalling, you may notice that changing your default policy to ACCEPT during startup of logstash alleviates the issue, which will probably manifest in you seeing the indexer see messages, but nothing appearing in elastisearch.

Puppet vs Chef: The Unequivocal Winner

2012-03-08T12:14:00-05:00

Me, representing Puppet, versus Reza, good friend and lowly Chef user, at the moment of Puppet’s glorious victory:

OpenBSD - Using Hierarchical Protection Domains for Network Security

2012-03-01T01:07:00-05:00

Some time ago I worked with Reyk Floeter on the ininitial implementation of a new datacenter network during my time at one of the more well-known Information Security vendors. Reyk had this phenomenal idea for the network structure that seemed to simple it was one of those “why didn’t I think of that” ideas. So after we deployed, I looked over the net and couldn’t really find docs of people doing this, so I wrote a really short paper and some basic slides on it and presented at LOPSA PICC ‘11. I kind of suck at presenting, but this topic is actually super easy to understand, so I was able to get my ideas out fast and then answer a lot of questions. Anyways, this paper came up in an IRC chat tonight and I figured I should post a link to it, here ya go.

Simple puppet function for writing out to Confluence

2012-02-29T20:54:00-05:00

A couple gigs ago we were an Atlassian shop and I am actually a big fan of Atlassian software, though it takes a lot of work up front to get it deployed in the way you like, but I’m not going to cover all that here. What I did though was I enabled the SOAP api for a user named Puppet, opened up the IT or Systems area so I could write something here:

http://confluence.yourorg.com/Systems/${fqdn}

Now that the thing that is phenomenal about this is that each page in Confluence has a comments section that you don’t deal with when comparing the data, to determine if an update is needed. Now what this means is that you can use the comments area as a server log. Everytime you do some work on a given server, you can log it right on the server’s page. So here is the function, which I will talk about a little bit more after the paste:

# This file is managed by puppet. It's used to write node information to
# Atlassian Confluence wiki pages.
require 'erb'

module Puppet::Parser::Functions
   newfunction(:write_confluence_wiki) do |args|
      page_template = %{
{panel}
{color:#102051}This page is automagically generated and updated by a Puppet function.{color}
{panel}

h1. <%= lookupvar("::fqdn") %>
----

h2. Node Information
|| *Fact or Variable* \ || *Value* ||
| Architecture \ | <%= lookupvar("::hardwaremodel") %> \ |
| Core Count \ | <%= lookupvar("::processorcount") %> \ |
| CPU \ | <% if lookupvar("::kernel") == "OpenBSD" %><%= lookupvar("::hardwareisa") %><% else %><%= lookupvar("processor0") %><% end %> \ |
| Facter Version \ | <%= lookupvar("::facterversion") %> \ |
| Kernel \ | <%= lookupvar("::kernelrelease") %> \ |
| Location \ | <%= extlookup("address") %>, <%= extlookup("citystate") %> \ |
| OS \ | <% if lookupvar("::operatingsystem") == "OpenBSD" %>OpenBSD <%= lookupvar("::operatingsystemrelease") %><% else %><%= lookupvar("::lsbdistdescription") %><% end %> \ |
| Physical Processor Count \ | <%= lookupvar("::physicalprocessorcount") %> \ |
| Puppet Master \ | <%= extlookup("puppetserver") %> \ |
| RAID Type \ | <%= lookupvar("::raidtype") %> \ |
| Ruby Version \ | <%= lookupvar("::rubyversion") %> \ |
| Time Zone \ | <%= lookupvar("::timezone") %> \ |
| Virtual? \ | <% if lookupvar("::virtual") != "physical" %>Yes<% else %>No<% end %> \ |

h2. Firewall Information

*Note that this information is not accurate on OpenBSD routers and firewalls*

|| *Network Type* \ || *Networks* ||
| Node Networks \ | <%= extlookup("nodenets").to_a.join(',') %> \ |
| Trusted Networks \ | <%= extlookup("trustednets").to_a.join(',') %> \ |
| Blocked Machines/Networks \ | <%= extlookup("badactors").to_a.join(',') %> \ |

|| *Port Set* \ || *Ports* ||
| Restricted to Node Networks (TCP) \ | <%= lookupvar("restricted_to_node_nets_tcp_ports") %> \ |
| Restricted to Node Networks (UDP) \ | <%= lookupvar("restricted_to_node_nets_udp_ports") %> \ |
| Restricted to Trusted Networks (TCP) \ | <%= lookupvar("restricted_tcp_ports") %> \ |
| Restricted to Trusted Networks (UDP) \ | <%= lookupvar("restricted_udp_ports") %> \ |
| Fully Open to the World Ports (TCP) \ | <%= lookupvar("open_tcp_ports") %> \ |
| Fully Open to the World Ports (UDP) \ | <%= lookupvar("open_udp_ports") %> \ |

h2. NIC Information
|| *Interface* \ || *MAC Address* \ || *IP* \ || *Netmask* ||
<% lookupvar("::interfaces").split(',').each do |iface|
   ip   = "ipaddress_" + iface 
   mac  = "macaddress_" + iface
   mask = "netmask_" + iface
%>| <%= iface %> \ | <%= lookupvar(mac) %> \ | <%= lookupvar(ip) %> \ | <%= lookupvar(mask) %> \ |
<% end %>

h2. Contact Points
| Primary Admin | <%= extlookup("primary_nagios_contact") %> \ |
| Secondary Admin | <%= extlookup("secondary_nagios_contact") %> \ |
| Tertiary Admin | <%= extlookup("tertiary_nagios_contact") %> \ |

During non-emergency, please contact <%= lookupvar("admin_group_email") %>

More information such as what resources are managed on this node can be viewed [here|http://puppetdocs.<%= lookupvar("::domain") -%>/<%= lookupvar("::environment") -%>]
----

*Please use the comments for a server log.* 

{column}
{section}{section}
      }

      # Get current page to determine if there are no changed to be made
      current_confluence_page = `/usr/local/bin/confluence.sh --action getPageSource --title #{lookupvar("::fqdn")} --space IT`
      # Compile Confluence page with dynamic data populated
      new_confluence_page = ERB.new(page_template)

      # Now we will exit if there are no changes
      if current_confluence_page == new_confluence_page
         return 0
      end

      # Stuff changes into confluence
      output = `/usr/local/bin/confluence.sh --action storePage --title "#{lookupvar("::fqdn")}" --space IT --content '#{new_confluence_page.result(binding)}' 2>&1`

      if $? != 0
         raise Puppet::ParseError, output
      end

      return 0
   end
end

Please note this requires the shitty Java Confluence client, never had the chance to rewrite using native SOAP, but if you would, feel free to send me a patch!

This is also in production at one of my gigs on a 2.6.7 master, have yet to try on 2.7.9 which I am using at all my other gigs.

Using git cherry to get a list of unmerged and un-cherry-picked commits

2012-02-27T22:18:00-05:00

Recently I made a post about using Git submodules for Puppet and I pasted some code I use to interact with the repo and ensure I get the workflow right. One of these scripts, promote.sh, had a feature that listed commits not yet in the master branch of each submodule. This was done with git log master..develop. Unfortunately, this command will show commits that have been cherry-picked as not yet merged, since cherry-picks get a new SHA on the branch you bring them into. After doing some digging, I found a new command: git cherry.

Git cherry is made for this exact purpose almost. The man page says it is for determining which commits have not yet made it to upstream, and it does this by comparing the changeset, not the SHA commit id. It will output lines of each commit ID that has not yet been merged to upstream. Then, each line will begin with a - or +. The lines with -’s are already in the branch passed, while the lines beginning with + are the ones that only exist in your current branch. I then took this knowledge, and modified the list function for promote.sh to look like this:

# This will go through all submodules and run the appropriate git command to
# show what commits master needs to be on track with develop. This uses the
# git cherry command, which is basically built for this exact purpose. Note
# that this had to be used due to our use case of sometimes promoting single
# changes through cherry-pick. Therefore git log master..develop would some-
# times show inaccurate information.
function list_pending_promotions() {
   pushd $puppetroot >/dev/null 2>&1

   read -p "Update checkout? (y/N) " answer

   if [ "$answer" != "y" -a "$answer" != "Y" ]; then
      printf "Be warned, data might be innaccurate if you are not up to date.\n"
   else
      printf "Ensure checkout is updated...\n"
      scripts/updatecheckout.sh
   fi

   printf "Show pending changes...\n\n"
   printf "========================================\n"
   git submodule --quiet foreach 'if [[ $path =~ ^production.* ]]; then printf "%s:\n\n" "$(basename $name)"; changes=$(git checkout develop 2>/dev/null; git cherry -v master | egrep "^\+" | sed "s/^+ //"; git checkout master 2>/dev/null); if [ -z "$changes" ]; then printf "No pending commits.\n"; else printf "%s\n" "$changes"; fi; printf "========================================\n"; fi'
   popd $puppetroot >/dev/null 2>&1
}

The long line for git submodule is kind of suboptimal, but I didn’t really want to play with escaping at this point. This feature is nice though and after asking around not many people seemed to know about it.

Hackery to script creation of new Puppet CA

2012-02-27T19:33:00-05:00

One of the tasks when setting up a new master is to set up a new CA. This is not something most people think about because Puppet does it automatically for you. However, unless your puppet.conf is in place already, it may not create 4096 bit keys. Also, if you’re doing a completely automated setup of a new organization, you might want to just run a script to generate the CA in a version controlled directory.

So, here is my quick and dirty hack for generating a new Puppet CA:

#!/usr/bin/env ruby
# QnD for generating Puppet CA. Doing a certification chain is a royal PITA
# with Puppet, so I typically have the Puppet CA as a separate entity from
# the company SSL setup. This is obviously suboptimal for enterprise-scale
# Puppet setups. You've been warned!

require 'rubygems'
require 'puppet'

begin
   Puppet::SSL::Host.ca_location = :local
   Puppet.settings.use :ca
   Puppet[:certname] = "puppet"
   Puppet[:keylength] = "4096"
   Puppet[:ssldir] = "./"
   newca = Puppet::SSL::CertificateAuthority.new
   newca.generate_ca_certificate
   Puppet::SSL::CertificateAuthority.instance
rescue
   STDERR.puts "Error creating Puppet CA!!!"
   exit -2
end

My technique for reconciling generic canned Puppet modules and organization-specific configurations

2012-02-26T14:30:00-05:00

As I’ve mentioned before I use a large set of cross-platform, relatively generic modules that I wrote for a system I call GRUMPS. The problem with this method is that you’re going to need to have some ERBs and files that are custom to your organization.

In my previous post about using Puppet submodules, you may have noticed that in addition to my grumps-modules, I use an organization-modules as the second module in my modulepath. So, to remediate the need for site- specific stuff while maintaining the generic moduleset is to create modules under the organization-modules directory named modulename_priv.

Then I do something like this to tell my defined resources to look there (the …’s cut out code not necessary for this demonstration):

define httpd::site (
   $ensure  = "present",
   $group   = "${httpd::apache_group}",
   $mode    = "640",
   $owner   = "root",
   $private = "false"
) {
...

   if ($private == "true") {
      $template_path = "httpd_priv/sites/${name}.erb"
   } else {
      $template_path = "httpd/sites/${name}.erb"
   }

...

   file {
      "${httpd::confdir}/${name}":
         content  => $ensure ? { present => template($template_path), absent => undef },
         ensure   => $ensure,
         group    => $group,
         mode     => $mode,
         owner    => $owner,
         tag      => "httpd_config";
   }

Testing Puppet

2012-02-22T19:07:00-05:00

An often over-looked part of Puppet is the fact that you can programmatically test changes. The Puppet master has a –compile feature, which will work if you sync the fact YAMLs from your master to the machine you run the –compile from.

Puppet-cucumber looks to solve this, so I tried to start using it today. I found that the features I need already work in my massive monolith test script, and that puppet-cucumber was just not a good fit. Particularly because it seemed a little obtuse in general, especially if I only wanted to test things that changes in either one revision or range of revisions. Anyways, this is my script for testing puppet changes. You will need GNU Parallel, Puppet, and MySQL, maybe a couple other smaller deps to run it.

My typical usage is:

scripts/puppet-test -d -e staging

Before I have deployed. If you look at the script through, it supports revision ranges and whatnot. -d is just a shortcut to run the tests against the changes local to you that are not yet deployed.

As always, use at your own risk:

#!/bin/bash
# This script does syntax checks on a working tree of a puppet git repo,
# and then utilizes the stored config DB to find a host that belongs to
# a changed class, then compile the catalog for that host. Note that
# this script is designed to be run in the scripts directory of the puppet
# checkout.
#
# In regular mode, your diff is between the current origin. This can be mod-
# ified by using the -d argument, which diffs against the deployed revision.
#
# This script can also be used as a git pre-commit hook, by placing it in
# your git checkout under .git/hooks/pre-commit, or linking the git pre-
# commit file to the script itself.
#
# Note that this script auto-detects whether you are in an svn or git
# checkout, and alters its mode of operation depending on the VCS used.
#
# Also note that -r does not currently work right when git sub-modules
# are involved. Will eventually be fixed.
#
# Finally, you should make sure you are in the root of the checkout when this
# is run otherwise it likely won't work right, esp wrt submodules.
#

function caterror() {
   cat "$1" >&2
}

function die() {
   printf "%s\n" "$1"
   exit $2
}

function usage() {
   printf "                              _        _            _   \n"
   printf " _ __  _   _ _ __  _ __   ___| |_     | |_ ___  ___| |_ \n"
   printf "| '_ \| | | | '_ \| '_ \ / _ \ __|____| __/ _ \/ __| __|\n"
   printf "| |_) | |_| | |_) | |_) |  __/ ||_____| ||  __/\__ \ |_ \n"
   printf "| .__/ \__,_| .__/| .__/ \___|\__|     \__\___||___/\__|\n"
   printf "|_|         |_|   |_| \n\n"

   printf "This script can be used to perform a thorough test of\n"
   printf "your puppet checkout, including syntax, duplication,\n"
   printf "and compile-time errors.\n\n"

   printf "Note that specifying revisions here only applies to the diff.\n"
   printf "This means that you should not expect this script to check\n"
   printf "out the given revision to test the actual code from that\n"
   printf "revision. This type of functionality will be added later.\n\n"

   printf "Usage:\n"
   printf "   $(basename $0) [-c] [-e environment] [-f] [-F]\n"
   printf "   -d  Performs test of deployed rev v. your checkout\n"
   printf "   -e  Puppet environment to test against, default production\n"
   printf "   -f  Force tests even if there are no changes\n"
   printf "   -F  Really force, even for regex node checks\n"
   printf "   -m  Sets VCS mode. Can be 'git', 'svn', or 'git-svn'\n"
   printf "   -P  Specify the root of your Puppet checkout. Default to ~/working/git/puppet\n"
   printf "   -r  Specify revision to diff against, or range of revisions to \n"
   printf "       diff between. Range must be in the form of rev1:rev2. Does not yet\n"
   printf "       work with submodules.\n"
   printf "\n"

   exit 0
}

check_node_regex=false
compile_failure_log="$(mktemp /tmp/compile_failure_log.XXXXXX)"
deployed="false"
environment="production"
error_msg=$(mktemp /tmp/error_msg.XXXXXX)
force="false"
fullforce="false"
puppet_masters="puppet.yoursite.com"
puppetroot="$HOME/working/git/puppet"
storedconfig_password='3287432424jkdhsfkh'
syntax_errors=0
vcs=""

while getopts de:fFhm:P:r: option; do
   case "$option" in
      d)
         deployed="true"
      ;;
      e)
         environment="$OPTARG"

         if [ '!' -d "${puppetroot}/${environment}" ]; then
            printf "Environment %s does not exist\n." "$environment"
            exit -1
         fi
      ;;
      f)
         force="true"
      ;;
      F)
         force="true"
         fullforce="true"
      ;;
      m)
         vcs="$OPTARG"

         if [ "$vcs" != "git" -a "$vcs" != "svn" -a "$vcs" != "git-svn" ]; then
            printf "FATAL: %s is not a supported VCS!\n" >&2
            exit -15
         fi
      ;;
      P)
         puppetroot="$OPTARG"
      ;;
      r)
         rev="$OPTARG"
      ;;
      [?h])
         usage
      ;;
   esac
done

# Fail if puppetroot is not there
if [ ! -d "$puppetroot" ]; then
   die "FATAL: Puppet checkout not found at ${puppetroot}" -2
fi

# Die if attempt to diff against prod and specify revision
if [ "$deployed" == "true" -a -n "$rev" ]; then
   die "-d and -r are mutually exclusive options!" "107"
fi

# Attempt to auto-identify VCS if nothing is passed to -m
if [ -z "$vcs" ]; then
   if [ -e "${puppetroot}/.git" ]; then
      vcs="git"
   elif [ -e "${puppetroot}/.svn" ]; then
      vcs="svn"
   fi

   if [ -z "$vcs" ]; then
      printf "FATAL: Could not determine VCS!\n" >&2
      exit -1
   else
      printf "Selecting %s as vcs...\n" "$vcs"
   fi
fi

# Move to puppet root and let the games begin
cd $puppetroot

# Determine if given revision or revision range is valid. Die if not.
if [ -n "$rev" ]; then
   export IFS=:
   case "$vcs" in
      git)
         for r in $rev; do
            if '!' git show --summary ${r} >/dev/null 2>&1; then
               die "Git revision ${r} is not valid" "69"
            fi
         done
      ;;
      git-svn)
         for r in $rev; do
            if '!' git svn find-rev r${r} >/dev/null 2>&1; then
               die "SVN Revision ${r} does not exit" "70"
            fi
         done
      ;;
      svn)
         for r in $rev; do
            if '!' svn info -r${r} >/dev/null 2>&1; then
               die "SVN Revision ${r} is not valid" "71"
            fi
         done
      ;;
      *)
         die "Sense is not being made" "42"
      ;;
   esac
fi

# It would be a little weird to try and add conditionals to save some lines
# here, so we just do separate behavior for each VCS.
case $vcs in
   git)
      current_branch=$(git branch | egrep '^\*' | cut -d' ' -f2)

      if [ "$current_branch" == "master" ]; then
         git pull --all >/dev/null 2>&1
         git submodule update --merge >/dev/null 2>&1

         if [ $? -ne 0 ]; then
            printf "Unspecified error when running git pull and/or submodule update on your checkout!\n" >&2
            exit -1
         fi
      fi

      if [ "$deployed" = "true" ]; then
         oldrev=$(ssh $(echo $puppet_masters | cut -d' ' -f1) "sudo cat /etc/puppet/REVISION")
         diffcmd="git diff ${oldrev}"
      elif [ -n "$rev" ]; then
         diffcmd="git diff $(echo $rev | tr ':' ' ')"
      else
         diffcmd="git diff origin"
      fi

      unset IFS

      # Get list of submodules
      submodules=$(git submodule | cut -c2-)

      if [ "$submodules" == "" ]; then
         changes=$(\
                  eval ${diffcmd} \
                  | grep '^+++' \
                  | grep -v '/dev/null$' \
                  | cut -d'/' -f2- \
                  | sort -u \
                  )
      else
         if [ "$deployed" == "true" ]; then
            changes="$($puppetroot/scripts/uberdiff.rb "${oldrev}")"
         elif [ -n "$rev" ]; then
            changes="$($puppetroot/scripts/uberdiff.rb \"$(echo $rev | tr ':' ' ')\")"
         else
            changes="$($puppetroot/scripts/uberdiff.rb HEAD)"
         fi
      fi
   ;;
   git-svn)
      if [ "$deployed" = "true" ]; then
         oldsvnrev=$(ssh $(echo $puppet_masters | cut -d' ' -f1) "sudo cat /etc/puppet/REVISION")
         oldrev=$(git svn find-rev r${oldsvnrev})
         diffcmd="git diff ${oldrev}"
      elif [ -n "$rev" ]; then
         for r in $rev; do
            gitrev="$gitrev $(git svn find-rev r${r})"
         done

         diffcmd="git diff $gitrev"
      else
         diffcmd="git diff git-svn"
      fi

      unset IFS
      changes=$(\
               eval ${diffcmd} \
               | grep '^+++' \
               | grep -v '/dev/null$' \
               | cut -d'/' -f2- \
               | sort -u \
               )
   ;;
   svn)
      svn up >/dev/null 2>&1

      if [ $? -ne 0 ]; then
         printf "Unspecified error when running svn up on your checkout!\n" >&2
         exit -1
      fi
      
      if [ "$deployed" == 'true' ]; then
         oldrev=$(ssh $(echo $puppet_masters | cut -d' ' -f1) "sudo cat /etc/puppet/REVISION")
         diffcmd="svn diff -r${oldrev}"
      elif [ -n "$rev" ]; then
         diffcmd="svn diff -r${rev}"
      else
         diffcmd="svn diff"
      fi

      unset IFS
      changes=$(\
               eval ${diffcmd} \
               | grep '^+++' \
               | cut -d' ' -f2- \
               | sed 's/[[:space:]]\+(working copy)//g' \
               | sort -u \
               )
   ;;
   *)
      printf "FATAL: Pigs have flown\n" >&2
      exit -42
   ;;
esac

# If no changes and not in force mode, end.
if [ -z "$changes" -a "$force" == "false" ]; then
    printf "No changes made.\n"
    rm -f $error_msg
    exit 0
fi

# If full force mode is on, set check_node_regex to true
check_node_regex="$fullforce"

# If full force is off, but there are node changes, set check_node_regex true
if echo $changes | grep -q 'manifests/nodes'; then
    check_node_regex=true
fi

# The syntax checks also check for hard tabs in Ruby, ERB, shell, and puppet
# code. It is fairly stupid and only uses file extensions to do this.
printf "Checking syntax on changes in working tree... "
for change in $changes; do
   case $change in
      *.erb)
         # Check ERB template syntax
         cat $change \
         | erb -P -x -T - \
         | ruby -cw 2> $error_msg > /dev/null

         if [ "$?" -ne 0 ]; then
            printf 'FAIL!\nERB Parse Failure:\n' >&2
            printf "$change: " >&2
            caterror $error_msg
            syntax_errors=$((syntax_errors + 1))
         fi

         if cat $change | grep -q ' '; then
            printf 'FAIL!\nHard tabs found in %s!\n' "$change" >&2
            syntax_errors=$((syntax_errors + 1))
         fi
      ;;
      *.pp)
         # Check puppet manifest syntax
          puppet parser validate --color=false --ignoreimport $change > $error_msg 2>&1

         if [ "$?" -ne 0 ]; then
            printf 'FAIL!\nPuppet Parse Failure:\n' >&2
            printf "$change: " >&2
            caterror $error_msg
            syntax_errors=$((syntax_errors + 1))
         fi

         if cat $change | grep -q ' '; then
            printf 'FAIL!\nHard tabs found in %s!\n' "$change" >&2
            syntax_errors=$((syntax_errors + 1))
         fi
      ;;
      *.rb)
         # Check Ruby template syntax
         cat $change \
         | ruby -cw > /dev/null

         if [ "$?" -ne 0 ]; then
            printf 'FAIL!\nRuby Parse Failure:\n' >&2
            printf "$change: " >&2
            caterror $error_msg
            syntax_errors=$((syntax_errors + 1))
         fi

         if cat $change | grep -q ' '; then
            printf 'FAIL!\nHard tabs found in %s!\n' "$change" >&2
            syntax_errors=$((syntax_errors + 1))
         fi
      ;;
      *.sh)
         # Shell scripts
         cat $change \
         | bash -n

         if [ "$?" -ne 0 ]; then
            printf 'FAIL!\nParse Failure:\n' >&2
            printf "$change: " >&2
            caterror $error_msg
            syntax_errors=$((syntax_errors + 1))
         fi

         if cat $change | grep -q ' '; then
            printf 'FAIL!\nHard tabs found in %s!\n' "$change" >&2
            syntax_errors=$((syntax_errors + 1))
         fi
      ;;
   esac

   rm -f $error_msg

   if [ "$syntax_errors" -ne 0 ]; then
      printf \
         '%s syntax or style errors found!\n' \
         "$syntax_errors" >&2
      exit 1
   fi
done
printf "SUCCESS!\n"

# Now let's check for duplicate defined classes
printf "Checking for duplicate class definitions... "
IFS=$'\n'
sorted_classlist=( $(find $puppetroot/$environment -type f -name '*.pp' -a ! -path $puppetroot/dist\* -exec egrep -h 'class[[:space:]]+([[:alnum:]]|[-_:])+[[:space:]]+(inherits[[:space:]]+([[:alnum:]]|[-_:])+|.*)*{' {} \; | sort) )
unset IFS

duplicate_classlist=$(\
   for ((i = 0; i < ${#sorted_classlist[*]}; i++)); do
      echo ${sorted_classlist[$i]}
   done | uniq -d | awk '{ print $2 }' \
)

if [ -n "$duplicate_classlist" ]; then
   printf "FAIL!\n\nIt appears that the following classes have duplicates:\n" >&2

   for ((i = 0; i < ${#duplicate_classlist[*]}; i++)); do
      printf "%s\n" "${duplicate_classlist[$i]}" >&2
   done

   printf \
"Please locate these files using "egrep -R 'class classname {' *" from the
root of the puppet checkout.\n"

   exit -1
fi

printf 'SUCCESS!\n'

# Check for duplicate node regexes if nodes files have changed, or full force
# mode is on.
if $check_node_regex; then
   printf "Checking for duplicate node regexes... "
   for master in $puppet_masters; do
      nodelist="$nodelist $(\
               ssh $master \"\
               sudo mysql -s \
                    -D puppet \
                    -h $master \
                    -e \"select name from hosts;\" \
               | cat \
               \")"
   done

   if [ -z "$nodelist" ]; then
      printf 'FAIL! Unspecified Error retrieving nodes from database!\n' >&2
      exit -1
   fi

   # Sort nodes to remove duplicates, which can happen if the databases are
   # not maintained.
   sorted_nodelist=$(echo $nodelist | sort -u)

   for node_manifest in $puppetroot/$environment/manifests/nodes*; do
      node_regex_list="$node_regex_list $(egrep -h '^node /' $node_manifest | cut -d'/' -f2)"
   done

   # This variable is so we can check how many total dupes there were
   global_duplicates=0
   for node in $sorted_nodelist; do
      matches=""
      matchcount=0
      for node_regex in $node_regex_list; do
         if [[ "$node" =~ $node_regex ]]; then
            matches="$matches $node_regex"
            matchcount=$((matchcount+1))
         fi
      done

      if [ $matchcount -gt 1 ]; then
         global_duplicates=$((global_duplicates+1))
         printf "WARNING: %s matches multiple regexes:\n" "$node" >&2
         for regex in $matches; do
            printf "%s\n" "$regex"
         done
      fi
   done

   if [ $global_duplicates -gt 0 ]; then
      printf "FAIL!\n%d duplicate node regexes found.\n" $global_duplicates >&2
      exit -2
   else
      printf "SUCCESS!\n"
   fi
fi

# Now we compile for compile-time errors

# Cat changes files and look for classes
printf 'Checking for compilation errors...\n'

# Get changes that are applicable (puppet manifest changes only)
pp_changes=$(\
            for change in $changes; do
               if [[ $change =~ .pp$ ]]; then
                  printf "%s " "$change"
               fi
            done
            )

if [ -z "${pp_changes}" ]; then
   printf "No puppet manifest changes to test for compilation errors, exiting!\n"
   exit 0
fi

classes=$(\
         cat $pp_changes \
         | egrep -v '^[[:space:]]+?#' \
         | egrep '^[[:space:]]+?class[[:space:]]+([[:alnum:]]|[-_:])+[[:space:]]+(inherits[[:space:]]+([[:alnum:]]|[-_:])+|.*)*({|\()' \
         | awk -F' ' '{ print $2 }' \
         )

# Should have at least one server for a non-specific compile test
servers="puppet.yoursite.com"

# Ensure fake ssldir is set up
sudo mkdir -p /var/lib/puppet-test-$USER
sudo rsync -r --delete $puppetroot/ssl/ /var/lib/puppet-test-$USER/ssl/
sudo chown -R $USER /var/lib/puppet-test-$USER

# Now we will find one host for each changed class to add to the list of
# servers for testing compiled catalogs.
for master in $puppet_masters; do
   # First we sync facts as they are needed for catalog compilation testing
   ssh ${master} "sudo mkdir /tmp/puppetyaml-$USER 2>/dev/null; sudo rsync -r /var/lib/puppet/yaml/ /tmp/puppetyaml-$USER/; sudo chmod -R 755 /tmp/puppetyaml-$USER"
   sudo -E rsync -r ${USER}@${master}:/tmp/puppetyaml-$USER/ /var/lib/puppet-test-$USER/yaml/
   ssh ${master} "sudo rm -rf /tmp/puppetyaml-$USER/*"

   for class in $classes; do
      # Get host id of a node that includes $class
      host_id=$(\
               ssh $master "\
               sudo mysql -s \
                     -D puppet \
                     -h $master \
                     -e \"select host_id from resources \
                        where title = '$class' \
                        and restype = 'class';\" \
               | cat \
               | head -1 \
               ")

      # Continue with next class if the host_id isn't valid (such as empty)
      if [[ $host_id =~ [[:digit:]]+ ]]; then
         :
      else
         continue
      fi

      # Get host_name from host_id
      host_name=$(\
                  ssh $master "\
                  sudo mysql -s \
                        -D puppet \
                        -e \"select name from hosts where id = '$host_id';\" \
                  | cat \
                 ")

      # If the server is already in the list to compile, don't add.
      if echo $servers | grep -q $host_name; then
         continue
      fi

      servers="$servers $host_name"
   done
done

sudo parallel -P 4 \
   "puppet master \
   --config_version='cd $HOME/working/git/puppet; git rev-parse HEAD' \
   --color=false \
   --no-daemonize \
   -l console \
   --confdir=$puppetroot \
   --manifest=$puppetroot/$environment/manifests/site.pp \
   --modulepath=$puppetroot/$environment/grumps-modules:$puppetroot/$environment/yoursite-modules \
   --ssldir=/var/lib/puppet-test-$USER/ssl \
   --vardir=/var/lib/puppet-test-$USER \
   --compile {} \
   | egrep \"^(err|notice|warning|Fail)\"" \
   ::: $servers \
| tee $compile_failure_log

if egrep -q '^(err|Fail)' "$compile_failure_log"; then
    printf 'Compilation errors, please fix.\n' >&2
    rm -f "$compile_failure_log"
    exit -1
else
    printf "Changed catalogs compiled successfully.\n"
    rm -f "$compile_failure_log"
    exit 0
fi

#vim: set expandtab ts=3 sw=3:

If you end up using Git submodules like I have outlined in my previous post, you will need the uberdiff.rb script:

#!/usr/bin/env ruby
# This is a script that takes a revision or revision range from a super-
# project, and spits out all the files under submodules that have changed.
# Note that this will not output removed files.

rev = ARGV[0]
submodules = [ ]

if Dir.pwd.split("/")[-1] != "puppet"
   STDERR.puts "You must run this script from the root of the super-project."
   exit -1
end

`git diff #{rev} --submodule='log' | egrep '^Submodule (staging|production)'`.each_line do |submodule|
   if submodule.split(" ")[2].gsub(/:$/, "") == "contains"
      next
   end

   submodules << {
      :modulename => submodule.split(" ")[1],
      :revrange   => submodule.split(" ")[2].gsub(/:$/, ""),
      :changes    => [ ]
   }
end

submodules.each do |submodule|
   submodule[:changes] = `git submodule --quiet foreach 'if [ $path == "#{submodule[:modulename]}" ]; then git diff --diff-filter=ACM --name-only #{submodule[:revrange]}; fi'`.split("\n")
   submodule[:changes].map! { |change| submodule[:modulename] + File::SEPARATOR + change }
end

submodules.each do |submodule|
   puts submodule[:changes]
end

#vim: set expandtab ts=3 sw=3:

A simple Puppet function to retrieve information from the Stored Config DB

2012-02-22T00:12:00-05:00

Often, in Puppet manifests you will find you need some arbitrary information about machines in your infrastructure. The stored configuration database, for all its blemishes, can be an easy way to achieve this.

Here is the function I wrote to do this:

require 'puppet/rails'
require 'puppet/rails/fact_value'

module Puppet::Parser::Functions
  newfunction(:getinfo,
  :type => :rvalue,
  :doc => "This is a function that will return an array of information based
  on what you ask for. For example this call:
  
    getinfo('Class', 'httpd', 'ec2_public_ipv4')
  
  will return a list of the ec2_public_ipv4 fact values for any node that has
  the resource Class['httpd']. If you leave off the third argument, fqdn will be
  assumed. Also note you can pass an environment to this function, but likely
  you won't need to because by default it will find the node's environment and
  use that. ") do |args|

    resource_type = args[0]
    resource_title  = args[1]
    return_info = args[2]
    environment = args[3]

    return_info ||= "fqdn"
    environment ||= lookupvar("::environment")

    raise Puppet::ParseError, ("getinfo(): wrong number of arguments (#{args.length}; must be >= 2)") if args.length < 2

    info = [ ]

    info = Puppet::Rails::FactValue.find_by_sql("
             SELECT fv.value from fact_values fv, fact_names fn, resources r, hosts h
             WHERE fn.name = '#{return_info}'
               AND h.environment = '#{environment}'
               AND h.id = r.host_id
               AND r.restype = '#{resource_type}'
               AND r.title = '#{resource_title}'
               AND fv.host_id = h.id
               AND fv.fact_name_id = fn.id;
           ")

    info.map! { |i| i.value }

    info
  end
end

Put this in a module and you can start using it in manifests:

   class {
      "firewall::iptables":
         ensure                              => $ensure,
         nodenets                            => getinfo('Class', 'httpd', 'ec2_public_ipv4'),
         open_tcp_ports                      => "22",
         restricted_to_node_nets_tcp_ports   => "5432";
   }

This will make the nodenets parameter to be an array of ec2 public IPs from any nodes that have the httpd class.

Here is an example of using it in an Apache load balancer config:

   
      Order allow,deny
      Allow from 127.0.0.1
<% scope.function_getinfo('Class', 'moodle', 'ipaddress').each do |ip| -%>
      Allow from <%= ip %>
<% end -%>
      Satisfy Any
   

The third parameter makes it so you can get any arbitrary information. You could for instance compile more complex configuration files that use hostname and something like architecture. This would take two calls to getinfo(), but I think you get the picture. Eventually I think I’d like to take an array of resources and write a query builder method to keep the amount of SQL queries to a minimum. For now this is working fine for me to solve some real problems.

Puppet with Git Submodules for Fun and Profit

2012-02-21T22:05:00-05:00

Git submodules are somewhat of an ‘advanced’ git feature, akin to Subversion externals for those of us unlucky enough to have the pleasure of knowing svn. The most common usage is pulling in third party libraries to your project. You can think of git submodules as git checkouts within checkouts. The ‘parent’ checkout or ‘super-project’ as I call it, knows that there are submodules, and knows which SHA each submodule is at. Since most of my work as both a Systems Engineer at $dayjob and a general IT consultant part-time, I needed to use submodules slightly differently than the most common use-case.

During some time off during 2011 from having a dayjob, I developed a lot of Puppet code that used what was at the time new features like Parameterized classes, hashes, etc. I also pretty painstakingly made sure the code would work on OpenBSD, Debian, Ubuntu, Red Hat, and CentOS. The plan was to keep this code private and charge people for the service of supporting this set of modules and develop new ones etc. So, I needed a way to let people pull this code into their Puppet repo and use it. Submodules are the only easy way to do this. This code, along with some scripts to set up an environment utilizing this code was what I called the GRand Unified Modular Puppet System (GRUMPS).

First, not to go too far off track, but if you are pulling puppet modules on the net, you should already be aware of git submodules. If you are down loading modules then just copying them into your setup you’re doing it wrong. Puppet code is code. You need to treat improvements to public modules the same way you treat any open-source project. You have your own local branch, submit fixes to upstream etc.

Now let’s talk about Puppet environments. You should at the very least have two environments. The name of the one that isn’t production probably doesn’t matter much, but we’ll call this staging, since that’s what I use in the code snippets later on. Many people will make these git checkouts under /etc/puppet that they run git pull on to update. This is an atrocious update mechanism, and a poor development layout.

Instead, what I’ve done is to make each sub-directory of each Puppet env correspond to specific branches in various sub-modules. Example:

Module Layout

                          _ grumps-modules => git@github.com://thesilentpenguin/grumps-modules  | master
                         /  dayjob-modules => git@github.com://dayjob/dayjob-modules            | master
/etc/puppet/production ->   manifests      => ssh://git.yoursite.com/dayjob-manifests           | master
                         \_ extdata        => ssh://git.yoursite.com/dayjob-extdata             | master

                          _ grumps-modules => git@github.com://thesilentpenguin/grumps-modules  | develop
                         /  dayjob-modules => git@github.com://dayjob/dayjob-modules            | develop
/etc/puppet/staging    ->   manifests      => ssh://git.yoursite.com/dayjob-manifests           | develop
                         \_ extdata        => ssh://git.yoursite.com/dayjob-extdata             | develop

“Develop” was a pre-existing convention I had for branch naming, but that’s really irrelevant, make it what you want. Now this shows I have 8 submodules for my two environments. I actually have one more for the SSL dir, but that is off-topic really. Some of the code samples may reference develop or master.

To get all this setup you will need to run git submodule add from the root of your checkout for each submodule, and you will also need to run git submodule init, which adds the added submodules to the .gitmodules file. Totally not confusing :-).

The 1000-foot view of the workflow after setup is complete:

Team members committing like it’s April 29 1992 on develop
Everybody’s seeing each other’s work, reviews it
Merge every sub-module’s develop branch to merge
Update super-project
Push and Deploy

Another, more common workflow for me is:

Committing like fire on develop
Reviewing work
Some guy runs up to your desk and needs XXX fixed in production
O NO! you have about 20 commits that can’t go to prod
Relax, we use modern version control, Cherry pick change(s)
Update super-project
Push and Deploy

You’re thinking “this is just a bunch of overhead”. Well yea if I didn’t script all this monotony away from me I would say the same thing. But one thing I’ve learned from heavy git sub-module usage, is that if you don’t script all these things, you will forget a step and break something. You’re also constantly repeating yourself, since you always require N+1 changes for N changes (you must update the git super-project, which updates the SHA’s found in .gitmodules).

So, here is the script for committing a single change, which may be across several submodules. Please note that I have had to on one system change the git-submodule script that comes with git to use bash in the shebang. This is because I use shell regex in the foreach commands, often:

#!/usr/bin/env bash
# This is a silly QnD that lets you develop in the staging sub modules, then
# run this to go into each one to commit and push. Saves you some keystrokes.
# Force needs to be used sometimes to really push things. What force does is
# just change the command chain to use ; instead of &&.

export COMMIT_MESSAGE="$1"

if [ -z "$COMMIT_MESSAGE" ]; then
   printf "You must enter a commit message as the only argument to this script!\n" >&2
   exit -1
fi

if [ "$2" == "force" ]; then
   printf "Forcing the operation...\n"
   git submodule foreach 'if [[ $path =~ ^staging.* ]]; then git checkout develop; git add .; git commit -am "$COMMIT_MESSAGE"; git push -u origin develop; fi'
else
   git submodule foreach 'if [[ $path =~ ^staging.* ]]; then git checkout develop && git add . && git commit -am "$COMMIT_MESSAGE" && git push -u origin develop; fi'
fi

git commit -am "Updated submodules: $COMMIT_MESSAGE"
git push

#vim: set expandtab ts=3 sw=3:

So, this needs to be run from the root of the checkout. My convention for all code checkouts is $HOME/working/$vcs/$project, so I do:

[~/working/git/puppet]> vim staging/grumps-modules/common/manifests/debuntu.pp
[~/working/git/puppet]> vim staging/manifests/node_templates.pp
[~/working/git/puppet]> scripts/stagcom.sh "Wrote debuntu class for Debian and Ubuntu machines, made sure basenode includes it"
[~/working/git/puppet]> cap deploy

This is all I need to do to get commits in staging out to the master. The snippet which shows the capistrano stuff I will show last. Promotion is as easy as:

[~/working/git/puppet]> scripts/promote.sh
[~/working/git/puppet]> cap deploy

Or to promote a single commit:

[~/working/git/puppet]> scripts/promote.sh -c 73acef8 -m grumps-modules
[~/working/git/puppet]> cap deploy

Now let’s talk about promotion of changes. This is somewhat dependent on your CR process (if you have one), but here is the script I use for full-env pro motion as well as cherry-pick promotions:

#!/usr/bin/env bash
# == Synopsis
# This is a small script that will promote the develop branches in each git
# submodule in the Puppet staging environment to master, then then pull in
# the changes to the production environment. Note that you can promote single
# commits by using the cherry-pick (-c) functionality. If you use cherry pick
# you must pass a modulename, ie 'grumps-modules' or 'manifests', with the -m
# switch
#
# == Usage
# See usage() function below
#
# == Notes
# This script does serious changes and pushes to master. Don't run it all
# willy nilly.
#
# == Authors
# Joe McDonagh 
#
# == Copyright
# 2012 The Silent Penguin LLC
#
# == License
# Licensed under The Silent Penguin Proprietary License
#

puppetroot="$HOME/working/git/puppet"

# Useful helper function, shorthand for cat'ing files that have error output
function caterror() {
   cat "$1" >&2
}

# Like caterror, shorthand for sending strings to stderr
function perror() {
   printf "%s\n" "$1" >&2
}

# Print a fatal error and exit with exit code $2
function die() {
   perror "$1"
   exit $2
}

# This will go through all submodules and run the appropriate git log command
# to show what commits master needs to be on track with develop.
function list_pending_commits() {
   pushd $puppetroot >/dev/null 2>&1
   git submodule --quiet foreach 'if [[ $path =~ ^production.* ]]; then printf "%s:\n" "$(basename $name)"; changes=$(git log master..develop); if [ -z "$changes" ]; then printf "No pending commits.\n"; else printf "%s\n" "$changes"; fi; fi'
   popd $puppetroot >/dev/null 2>&1
}

# Use this function to print out usage information, and exit with code of $2.
# This is useful to exit with a non-zero code due to an error in argument
# processing.
function usage() {
   printf "Usage:\n"
   printf "   %s  [-c commit -m modulename] [-h]\n" "$(basename $0)"
   printf "   -l  List all commits that master needs in all submodules. Make sure\n"
   printf "       your checkout is up to date if you run this, otherwise results may\n"
   printf "       be inaccurate.\n"
   printf "   -c  Cherry pick the commit given as the argument to this switch\n"
   printf "   -f  Force mode- this will bypass the prompt when promoting all of staging\n"
   printf "   -h  Print this message\n"
   printf "   -m  This is required if you use -c; it is the submodule directory name\n"
   printf "   -M  This overrides the default commit message with whatever you specify\n"
   printf "\n"
   printf "Example:\n"
   printf "   %s -c d4cb267 -m manifests\n\n" "$(basename $0)"
   printf "This will cherry-pick commit d4cb267 from the manifests submodule.\n"
   printf "\n"
   printf "Passing no arguments to this script will promote the entire staging env to\n"
   printf "production.\n"

   exit $1
}

while getopts c:lfm:M:h option; do
   case "$option" in
      c)
         export COMMIT="$OPTARG"
      ;;
      f)
         force="true"
      ;;
      h)
         usage 0
      ;;
      l)
         list_pending_commits
         exit 0
      ;;
      m)
         export MODULE="$OPTARG"
      ;;
      M)
         export MESSAGE="$OPTARG"
      ;;
      *)
         perror "Passing bad arguments"
         usage -1
   esac
done

if [ -n "$MODULE" -a -z "$COMMIT" ]; then
   perror "You passed -m but did not pass -c, you need both."
   usage -10
fi

if [ -z "$MODULE" -a -n "$COMMIT" ]; then
   perror "You passed -c but did not pass -m, you need both."
   usage -20
fi

if [ ! -e "production/$MODULE" ]; then
   die "The module $MODULE does not exist!"
fi

# Verify whether or not commit given actually exists in develop branch
if [ -n "$COMMIT" ]; then
   pushd staging/$MODULE >/dev/null 2>&1

   if git branch --contains "$COMMIT" 2>/dev/null | grep -q develop; then
      commit_exists="true"
   else
      commit_exists="false"
   fi

   popd >/dev/null 2>&1

   if [ "$commit_exists" == "false" ]; then
      die "It appears commit $COMMIT does not exist in the develop branch of module $MODULE!"
   fi
fi

# Force mode in case the script is being used in a batch fashion.
if [ "$force" != "true" -a -z "$COMMIT" ]; then
   read -p "Are you sure you want to promote the entire staging environment? (y/N) " answer

   if [ "$answer" != "y" -a "$answer" != "Y" ]; then
      die "Did not confirm full promotion, exiting." -5
   fi
fi

# Set commit message, dependent on whether message is passed and if cherry
# picking or promoting the whole environment.
if [ -z "$MESSAGE" -a -n "$COMMIT" ]; then
   MESSAGE="Promote commit $COMMIT in submodule $MODULE from staging to production"
fi

if [ -z "$MESSAGE" -a -z "$COMMIT" ]; then
   MESSAGE="Promote all of staging to production."
fi

# Change dir into puppetroot with pushd so we can keep track of where we were
pushd $puppetroot >/dev/null 2>&1

# Make sure everything is up to date.
scripts/updatecheckout.sh

# Do the actual merging or cherry-picking into production and push
if [ -z "$COMMIT" ]; then
   git submodule foreach --quiet 'if [[ $path =~ ^production.* ]]; then git checkout develop && git pull && git checkout master && git merge develop && git push; fi'
else
   git submodule foreach --quiet 'if [ "$name" == "production/$MODULE" ]; then git checkout develop && git pull && git checkout master && git cherry-pick $COMMIT && git push; fi'
fi

git commit -am "$MESSAGE"
git push

popd >/dev/null 2>&1
#vim: set expandtab ts=3 sw=3:

One major point I want to drive home is that your commits in git should fix the smallest error or add the smallest feature as possible. This is just a version control best practice, and makes cherry picking possible. If you’re doing giant commits that change a million things, cherry pick promotions aren’t going to work for you.

You may have noticed that I call a script named updatecheckout.sh above. This is the script for updating all the submodules because it’s a serious PITA to do anything with sub-modules that isn’t scripted. That includes just keeping your checkout up to date and on the proper branches:

#!/usr/bin/env bash
# == Synopsis
# This is a small script that will update your whole checkout.
#
# == Usage
# See usage() function below.
#
# == Notes
# Don't eat the yellow snow.
#
# == Authors
# Joe McDonagh 
#
# == Copyright
# 2012 The Silent Penguin LLC
#
# == License
# Licensed under The Silent Penguin Proprietary License
#

puppetroot="$HOME/working/git/puppet"

# Useful helper function, shorthand for cat'ing files that have error output
function caterror() {
   cat "$1" >&2
}

# Like caterror, shorthand for sending strings to stderr
function perror() {
   printf "%s\n" "$1" >&2
}

# Print a fatal error and exit with exit code $2
function die() {
   perror "$1"
   exit $2
}

# Change dir into puppetroot with pushd so we can keep track of where we were
pushd $puppetroot >/dev/null 2>&1

# Make sure everything is up to date.
git pull --all
git submodule update --merge
git submodule foreach --quiet 'if [[ $path =~ ^staging.* ]]; then git checkout develop && git pull; fi'
git submodule foreach --quiet 'if [[ $path =~ ^production.* ]]; then git checkout master && git pull && git checkout develop && git pull && git checkout master; fi'

popd >/dev/null 2>&1
#vim: set expandtab ts=3 sw=3:

Last but not least, you’ll need some capistrano action. I use capistrano to deploy, with the railsless-deploy.rb floating around the net. I have one small modification to the railsless-deploy.rb which will ensure that the submodules are on the proper branch in the cached-checkout:

  # Override deploy! to do some submodule branch stuff
  module Capistrano
    module Deploy
      module Strategy
        class RemoteCache < Remote
          def deploy!
            update_repository_cache

            # This will make sure the proper branches are used in the submodules
            logger.info "Ensuring staging sub-modules are using proper develop branches..."

            devmodules = capture("ls -d #{shared_path}/cached-copy/staging/*")
            devmodules = devmodules.split("\n")
            devmodules.each do |devmod|
              run "cd  #{devmod}; git checkout develop; git pull; cd -"
            end

            logger.info "Ensuring production sub-modules are using proper master branches..."

            prodmodules = capture("ls -d #{shared_path}/cached-copy/production/*")
            prodmodules = prodmodules.split("\n")
            prodmodules.each do |prodmod|
              run "cd #{prodmod}; git checkout master; git pull; cd -"
            end

            copy_repository_cache
          end
        end
      end
    end
  end

This is done for posterity and to avoid confusion. If you are familiar with git submodules you know they are typically in a detached state. This means they are not on any branch in particular. The super-project simply knows what SHA a given submodule is at. That SHA may correspond to the tip of a branch, but git submodule isn’t really aware of that. So, the enable submodule var of Capistrano should be enough, but I like to make sure the cached-checkout is an exact mirror of what Puppet developers have locally. You also don’t want to ever be developing in a detached state cause you want your commits to stay on the proper branch. In fact you probably get an error when trying to commit in a detached state. Haven’t had to deal with those little mistakes since I wrote this set of scripts. Here is the actual deploy.rb:

# Configuration Variables
set :admin_group,             "webops"
set :admin_group_gid,         "1337"
set :app_user,                "puppet"
set :application,             "puppet"
set :copy_exclude,            [ ".git" ]
set :deploy_lockfile,         "/tmp/puppet_being_deployed"
set :deploy_to,               "/usr/local/puppet"
set :deploy_via,              "remote_cache"
set :git_enable_submodules,   1
set :keep_releases,           5
set :local_checkout,          "#{ENV['HOME']}/working/git/puppet"
set :notification_email,      "webops@yourorg.com"
set :repository,              "ssh://git@github.com/yourorg/puppet"
set :scm,                     "git"
set :storeconfig_password,    "oFzx.218.jkshfkh82."
set :use_sudo,                "true"
set :use_storeconfigs,        "true"

# SSH Config Variables
ssh_options[:forward_agent] = true

# Role for deployment
role :puppet_masters,
   "puppet.yourorg.com"

# Task to run after everything is done. This runs every time.
task :afterparty do
   run "if [ ! -d /etc/#{application} ]; then sudo -u root mkdir /etc/#{application}; fi"
   run "sudo -u root rsync --exclude='tagmail.conf' --delete -cvrP --no-o --no-g --no-p #{deploy_to}/current/ /etc/#{application}/"
   run "sudo -u root chown -R root:#{app_user} /etc/#{application}; sudo -u root find /etc/#{application} -type d -name 'lib' -prune -o -type d -exec chmod 750 {} \\; && sudo chmod -R g+r /etc/#{application}"
   run "sudo -u root find /etc/#{application} -type d -name 'lib/*' -exec chmod -R 755 {} \\;"
   run "sudo -u root chmod -R g+w #{deploy_to}/shared/cached-copy"
   run "sudo -u root /etc/init.d/apache2 restart"
end

# Generate puppet docs
task :gendocs, :on_error => :continue do
   run "sudo rm -rf /var/www/puppetdocs/staging /var/www/puppetdocs/production"
   run "sudo /usr/bin/puppet doc -a -m rdoc --outputdir /var/www/puppetdocs/staging/ --manifestdir /etc/puppet/staging/manifests --modulepath '/etc/puppet/staging/grumps-modules:/etc/puppet/staging/yourorg-modules'"
   run "sudo /usr/bin/puppet doc -a -m rdoc --outputdir /var/www/puppetdocs/production/ --manifestdir /etc/puppet/production/manifests --modulepath '/etc/puppet/production/grumps-modules:/etc/puppet/production/yourorg-modules'"
end

# This task won't do much to repair a broken git repo
task :fix_deploys, :on_error => :continue do
   logger.info "Make cached check out group-writeable by #{admin_group}..."
   run "sudo -u root chgrp -R #{admin_group} #{deploy_to}/shared/cached-copy"
   run "sudo -u root chmod -R g+w #{deploy_to}/shared/cached-copy"
   logger.info "Get repo to pristine state..."
   run "git checkout #{deploy_to}/shared/cached-copy"
   logger.info "Force permission fixes..."
   run "sudo -u root find #{deploy_to}/shared/cached-copy -type d -exec chmod 2770 {} \\;"
   run "sudo -u root find #{deploy_to}/shared/cached-copy -type f -exec chmod 660 {} \\;"
   logger.info "Unlocking deploys..."
   run "sudo -u root rm -f #{deploy_lockfile}"
end

task :notify do
   require 'etc'
   require 'rubygems'
   require 'action_mailer'

   ActionMailer::Base.delivery_method = :sendmail
   ActionMailer::Base.sendmail_settings = {
      :location   => '/usr/sbin/sendmail',
      :arguments  => '-i -t'
   }

   class NotificationMailer < ActionMailer::Base
      def deployment(application, message, notification_email)
         mail(
            :from    => "#{Etc.getpwnam(ENV['USER']).gecos} <#{ENV['USER']}@yourorg.com>",
            :to      => notification_email,
            :subject => "Puppet Deployment - #{Time.now.to_s}",
            :body    => message
         )
      end
   end

   message = "This is a notification of deployment of a Puppet update.\n\n"
   message << "Deployed at: #{Time.now.to_s}\n"
   message << "Revision: #{real_revision}\n\n"

   # if the revision has not changed then don't look for logs, also if #SEC
   # is in the commit message, a full diff is not displayed for security
   # reasons.
   begin
      if previous_revision != real_revision
         message << "SCM Revisions Deployed\n"
         gitlog = `#{source.local.log(latest_revision, real_revision)} -v --oneline`
         if gitlog.include? '#SEC'
            message << gitlog
         else
            message << `#{source.local.log(latest_revision, real_revision)} --submodule=log -v --patch-with-stat`
         end
      end
   rescue
      message << "SCM Revisions Deployed\n"
      message << 'Previous revision not available'
   end

   mail = NotificationMailer.deployment(application, message, notification_email)
   mail.deliver
end

# Task that cats out what revision is deployed
task :getrev do
   run "sudo -u root cat /etc/puppet/REVISION"
end

# Task to add a lock file and bail deploys with a message if one exists
task :lock_deploys do
   require 'etc'

   logger.info "Locking deploys..."

   if ENV.has_key?('lock_reason')
      lock_reason = ENV['lock_reason']
   else
      lock_reason = "Deployment"
   end

   data = capture("cat #{deploy_lockfile} 2>/dev/null; echo").to_s.strip

   if !data.empty?
      logger.info "\e[0;31;1mATTENTION:\e[0m #{data}"
      abort "Deploys are locked."
   end

   timestamp = Time.now.strftime("%m/%d/%Y %H:%M:%S %Z")
   lock_message = "Deploys locked by #{Etc.getpwnam(ENV['USER']).gecos} (#{ENV['USER']}) at #{timestamp} for #{lock_reason}"
   put lock_message, "#{deploy_lockfile}", :mode => 0644
end

task :unlock_deploys do
   logger.info "Unlocking deploys..."
   run "rm -f #{deploy_lockfile}"
end

# Before and After hooks
after "deploy:symlink", :afterparty
after "deploy:rollback", :afterparty
before "deploy", "deploy:cleanup"
before "deploy:cleanup", :lock_deploys
after "deploy", :notify
before "notify", :unlock_deploys
after "notify", :gendocs

#vim: set expandtab ts=3 sw=3:

I take no responsibility whatsoever for how you use these scripts. This is mostly just a demonstration of a workflow that works for me, and keeps everything clearly separated. I might be able to help people who try to do this, or I might not (unless you are a paying customer).