Authors: Jeffrey McCune James Turnbull
Pro Puppet (21 page)
Now that the operator has his or her own branch, we’re ready to make a change. We’re going to add two lines using two commits to illustrate the history tracking features of a version control system.
First, add the groups who should have access to the machine. To start, only thewheelgroup should be allowed to log in, so add the following lines to thesshd_configtemplate:
operator:~/modules $ git diff
diff --git a/ssh/files/sshd_config b/ssh/files/sshd_config
index 7d7f4b4..1fd84e5 100644
--- a/ssh/files/sshd_config
+++ b/ssh/files/sshd_config
@@ -3,4 +3,5 @@ Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
+AllowGroups wheel adm
UsePAM yes
As you can see, we’ve added a single line to the file~/modules/ssh/files/sshd_configin the personal clone of the repository in the operator’s home directory. We must commit and push this change into the central repository, but we haven’t tested it yet so we should be careful and not merge the branch we’re working on,operator/ssh, into themasterbranch yet.
operator:~/modules $ git commit -a -m 'Added AllowGroups to sshd_config'
Created commit eea4fbb: Added AllowGroups to sshd_config
1 files changed, 1 insertions(+), 0 deletions(-)
operator:~/modules $ git push origin operator/ssh:operator/ssh
Counting objects: 9, done.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 454 bytes, done.
Total 5 (delta 2), reused 0 (delta 0)
To [email protected]:git/modules.git
* [new branch] operator/ssh -> operator/ssh
Thegit pushcommand the operator used creates a new branch in the central repository with the same name as the topic branch the operator is working on in his or her home directory. This is important to prevent untested changes from making their way into the master branch. Once we’ve pushed the new branch to the central repository, we should test the new branch in the development environment.
Note
There is no limit to the number of environments you can configure on the central Puppet master. Many large teams find it beneficial to create per-contributor environments in addition to the standard development, testing and production environments. Per-contributor environments allow each person to test their own branches without interfering with the development environments of other individuals.
puppet:~ $ cd /etc/puppet/environments/development/modules
puppet:modules $ git fetch origin
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 10 (delta 4), reused 0 (delta 0remote: )
Unpacking objects: 100% (10/10), done.
From [email protected]:git/modules
d69bc30..fa9812f master -> origin/master
* [new branch] operator/ssh -> origin/operator/ssh
puppet:modules $ git checkout -b operator/ssh origin/operator/ssh
Branch operator/ssh set up to track remote branch refs/remotes/origin/operator/ssh.
Switched to a new branch "operator/ssh"
Now that we’ve switched to our new topic branch in the development environment, we’re able to test the Puppet agent against the development environment.
puppet:~ $ puppet agent --test --environment development --noop
info: Caching catalog for scd.puppetlabs.vm
info: Applying configuration version '1289751259'
--- /etc/ssh/sshd_config 2010-11-14 08:16:45.000000000 -0800
+++ /tmp/puppet-file.13997.0 2010-11-14 08:16:57.000000000 -0800
@@ -3,4 +3,5 @@
SyslogFacility AUTHPRIV
PermitRootLogin no
PasswordAuthentication yes
+AllowGroups wheel adm
UsePAM yes
notice: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]/content: is
{md5}9d4c3fba3434a46528b41a49b70b60e4, should be {md5}da54f2cdc309faf6d813a080783a31f6 (noop)
info: /Stage[main]/Ssh::Config/File[/etc/ssh/sshd_config]: Scheduling refresh of Service[sshd]
notice: /Stage[main]/Ssh::Service/Service[sshd]: Would have triggered 'refresh' from 1 events
notice: Finished catalog run in 0.39 seconds
Notice that this Puppet agent run is running innoopmode, and that the agent tells us it would have changed/etc/ssh/sshd_configby inserting the line we just committed to the branchoperator/sshand checked out in the development environment’s repository on the Puppet master.
You’re able to verify that the production environment remains unchanged, just like we did in the “Making Changes to the Development Environment” section when we updated the Postfix configuration file. Simply remove the environment command line option to cause the agent to execute in the default production environment again:
puppet:~ $ puppet agent --test --noop
info: Caching catalog for scd.puppetlabs.vm
info: Applying configuration version '1289752071'
notice: Finished catalog run in 0.33 seconds
While the system operator is working on the change to thesshd_configfile, the developer in our hypothetical company is working on a change to the Postfix configuration file. Just like the operator, he’ll need a personal copy of the central repository we set up at[email protected]:git/modules.gitin his home directory.
Once the developer has cloned his personal copy of the central repository, he’s able to make his change to the Postfix configuration file. He’ll also use a branch to track his changes and make it easy to merge into the testing branch for use in the testing environment. Finally, after testing, he’ll use the tag feature of the version control system to cut a new release of the configuration used in production, then check out this tag in the repository used by the production Puppet environment.
To start, the developer creates his topic branch from the development branch namedmaster. Note that the changes his teammate, the operator, has made have not yet been merged into the master branch, so the developer does not have them. We cover the process of merging multiple changes together when we merge both of these changes into the testing branch in the next section.
developer:~ $ cd ~/modules
developer:~/modules $ git checkout -b developer/postfix master
Switched to a new branch "developer/postfix"
Now that the developer has his own topic branch, he’s free to change the code without impacting the work of anyone else on the team. His changes can be discarded or merged at a later point in time. Let’s look at his changes to the Postfix configuration file and how he committed them into the version control system:
$ git log --abbrev-commit --pretty=oneline master..HEAD
7acf23d... Updated config.pp to use $module_name
0c164f6... Added manual change warning to postfix config
Using thegit logcommand, you’re able to see the developer has made two commits since he created his topic from the main master development branch. This specific command displays the series of commits from the master development branch to the tip of the current topic branch. You’re able to
use thegit logcommand again to see exactly what the developer changed in these two commits, as shown in
Listing 3-3
.
Listing 3-3.
Listing Git changes
developer:~/modules $ git log --summary -p --stat master..
commit 7acf23dc50774aee1139e43aec5b1e8f60fa9da9
Author: Devevloper
Date: Sun Nov 14 09:45:16 2010 -0800
Updated config.pp to use $module_name
The $module_name variable has been introduced in Puppet
2.6 and makes for easily renamed puppet modules without
having to refactor much of the code.
---
postfix/manifests/config.pp | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/postfix/manifests/config.pp b/postfix/manifests/config.pp
index 9feb947..471822c 100644
--- a/postfix/manifests/config.pp
+++ b/postfix/manifests/config.pp
@@ -7,14 +7,14 @@ class postfix::config {
file { "/etc/postfix/master.cf":
ensure => present,
- source => "puppet:///modules/postfix/master.cf",
+ source => "puppet:///modules/${module_name}/master.cf",
require => Class["postfix::install"],
notify => Class["postfix::service"],
}
file { "/etc/postfix/main.cf":
ensure => present,
- content => template("postfix/main.cf.erb"),
+ content => template("${module_name/main.cf.erb"),
require => Class["postfix::install"],
notify => Class["postfix::service"],
}
commit 0c164f676da64cec5e6d02ac5cb8a60229e60219
Author: Developer
Date: Sun Nov 14 09:42:17 2010 -0800
Added manual change warning to postfix config
---
postfix/files/master.cf | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/postfix/files/master.cf b/postfix/files/master.cf
index 280f3da..7482d4c 100644
--- a/postfix/files/master.cf
+++ b/postfix/files/master.cf
@@ -1,3 +1,5 @@
+# This file managed by puppet. Manual changes will be reverted.
+#
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
Reviewing his changes, the developer notices he made a typographical mistake in the postfix configuration file and decides to fix this problem. In the second section of the diff output in the Postfix configuration file, the line containingtemplate("${module_name/main.cf.erb")is missing a closing curly brace around the variablemodule_name. He decides to fix this and make a third commit to his topic branch. The output ofgit lognow shows:
developer:~/modules $ git log --abbrev-commit --pretty=oneline master..
6b9f2b5... Fixup missing closing curly brace
7acf23d... Updated config.pp to use $module_name
0c164f6... Added manual change warning to postfix config
Tip
In order to help prevent typographical errors from being accepted into the repository, it is a good idea to executepuppet --parseonlyas a pre-commit hook in your version control system. Most version control systems support hook scripts to accept or deny a commit. If you use Subversion or Git, example pre-commit hooks are available online athttp://projects.puppetlabs.com/projects/1/wiki/Puppet_Version_Control.
The developer is satisfied with his changes to Postfix, and he would like to try them out in the development environment in a similar way the operator tested out her changes. The overall workflow the developer follows is to push their topic branch to the central repository, fetch the changes in the development environment’s repository, check out the topic branch, then run the Puppet agent against the development environment.
Before publishing his topic branch to a different repository, he decides to clean up his commit history to remove the entire commit that he created simply to fix a single character mistake he introduced. Thegit rebasecommand allows him to quickly and easily modify his topic branch to clean up this mistake.
