<!-- .slide: data-background="https://codimd.web.cern.ch/uploads/upload_a9c18f7ad59595f341ebbd8e22f5bed2.jpeg"; data-background-opacity=".3" --> ## Core Compute Services #### Config management ###### Giacomo Tenaglia - CSC on IT Services - 2024-11-08 --- ## IaC ###### Infrastructure as Code <!-- .element style="border: 0; box-shadow: none; height: 100%; width: 100%;" --> --- ## CERN Config Management Services ###### "Agile Infrastructure" * Early 2000s: home-grown toolset * 2012: the "AI" project * Puppet & Foreman * Openstack * Centralised logging & monitoring --- ## CERN Config Management Services * Sources of Truth :tm: * HR databases -> e-groups -> Active Directory -> LDAP * LanDB (including CERN perimeter Firewall) * CERN Certificate Authority * Windows/Linux "blessed" configs * ... * Config Services: * Configure Windows/Linux virtual/physical servers * Wrap around all of the above * Leverage Openstack * Provide IaC --- ## Technology stack * <img src="https://codimd.web.cern.ch/uploads/upload_f5a3d9190288d230b1760b2a660b66dd.png" width="30" style="border: 0;"> Puppet (open-source, mostly single-company): * Centralised configuration management system * Based on Ruby * Client/server architecture * <img src="https://codimd.web.cern.ch/uploads/upload_bc965da014a9bcae40682b3851be1bcc.png" width="30" style="border: 0;"> Foreman: * Inventory/classifier * <img src="https://codimd.web.cern.ch/uploads/upload_15ce28fc52315f7fb62eaa21d1a5e537.png" width="30" style="border: 0;"> Gitlab: * Configuration repositories --- ## Classifying nodes ###### Foreman & hostgroups <!-- .element style="border: 0; box-shadow: none; height: 100%; width: 100%;" --> --- ## Classifying nodes ###### Foreman & hostgroups * Foreman: https://judy.cern.ch * Hostgroups: Gitlab repos --- ## The Puppet Agent <!-- .element style="border: 0; box-shadow: none; height: 100%; width: 100%;" --> --- ## Managing change ###### Gitlab & environments * `aiadm`: "management/reference service" * Environments: * "Pointer" to feature branches * Allow separated testing of config changes * Homegrown ['Puppet librarian service'](https://github.com/cernops/jens) --- ## Managing change ###### Your nodes only * `csc-config-{1..6}.cern.ch` * `playground/csc` ``` ssh aiadm.cern.ch git clone https://:@gitlab.cern.ch:8443/ai/it-puppet-hostgroup-playground.git git checkout csc_X ... git push ssh root@csc-config-X.cern.ch puppet agent -tv ``` --- ## Configuring services ###### Modules * Goal: do not reinvent the wheel * https://gitlab.cern.ch/ai/it-puppet-module-training/ ``` include training ``` --- ## Separating data ###### Hiera * Store the configuration data in key-value pairs * Look up needed data during catalog compilation * HIERArchic structure: https://gitlab.cern.ch/ai/it-puppet-hostgroup-punch --- ## Centralised change control ###### CERN-wide QA process <!-- .element style="border: 0; box-shadow: none; height: 100%; width: 100%;" --> --- ## Extras ###### Secrets, certificates, alarms etc * Secrets management: `teigi` vs Vault * Certificates: `certmgr` * Alarms & server state: `roger` (MONIT) --- ## Wrapping up --- ``` +------------------+---------------------------------------------------------------+ | Hostname: | csc-config-1.cern.ch | | Hardware: | virtual, 1 cores, 1.56 GiB memory, - swap, 1 disks | | Hostgroup: | playground | | Comment: | This is for short-term playing and testing. Machines in here | | | should have no expectation of being stable and may be deleted | | | without warning. | | Environment: | csc_1 | | Responsible: | tcsc-it-services-2024-students@cern.ch | | Main user: | tcsc-it-services-2024-students@cern.ch | | FE Responsible: | Ignore | | OS: | RedHat 9.4 x86_64 (5.14.0-427.42.1.el9_4.x86_64) | | Project: | CSC IT Services | | Flavour: | m2.small | | Avail zone: | cern-geneva-a | | LANDBsets: | - | | LB aliases: | - | | CNAME aliases: | - | | IPv4: | 188.184.84.135 (GPN) (S513-A-VM75) | | IPv6: | 2001:1458:201:e3::100:166 (GPN) (S513-A-VM75) | | App state: | build | | Alarm mask: | Hardware(N) OS(N) App(N) NoContact(N) | | | | | Last Puppet run: | 10 minutes ago | +------------------+---------------------------------------------------------------+ ``` --- ## To know more * https://cern.ch/config * Self-service [config training](https://configtraining.web.cern.ch/configtraining) * [it-dep/~Puppet Mattermost](https://mattermost.web.cern.ch/it-dep/channels/puppet) * https://gitlab.cern.ch/ai/ * `aiadm:/mnt/puppetnfsdir/environments/production/`