Monday, September 17, 2012

Devopsdays Rome 2012

Disclaimer: this is just a shameless post to get myself a place at the great Rome event ;-). Oh well, this does not mean this post is not interesting to read.

When I went to the Extreme Programming conference in Alghero (Sardinia) in 2001 I was consulting mostly as a Systems Administrator. So I felt a little bit like a fish out of water and actually one of the participants asked me: do you think there are aspects of XP that can be applied to systems administration?

I think I said yes, but at that time it was kind of hard for me to find points of contact between the two.
Maybe unit testing could be associated with putting a pervasive monitoring in place so that when I refactored a configuration I would know if it worked before clients did.
Or coding standards could be associated with using automated installers for deploying servers, but what about keeping the configuration in sync after, when the systems went into production? And what about the rest of the rules?
Last but not least, at the time, provisioning servers was still a physical task which meant that deployment was just a relatively short phase after procurement and installation.

Anyway shortly after the conference the sysadmin gig ended and I gradually went back to developing web apps full time with just a little sysadmin'ing on the side.

Fast forward to 2012: I am still developing web apps (using Agile methodologies) but I am also sysadmin'ing again. In 2012 though servers are virtual and they can be provisioned with a few clicks: today the only thing that slows down and can possibly get the deployment process wrong is ... me!
So I asked myself: what can I do to improve the overall process so that servers are installed and configured in the same way, they can be easily reconfigured without manually logging in into each and every one of them and I can readily tell my boss what version of which app they are running?

I knew that the answer was in configuration management, so I started researching. I first looked into Puppet, but I didn't really like the open-core model, so I moved on and eventually settled on SaltStack. Salt started out as remote execution tool, but then gained configuration management capabilities and recently added support for cloud provisioning. Salt is written in Python which makes it more friendly to people (like me) that are not acquainted with Ruby yet. Also, Salt uses YAML instead of a DSL for configuration management, but other than that the configuration directives are striking similar.

The great thing about configuration management tools is that once you have put in place the basic infrastructure you'll quickly get addicted to it and expand it and grow it just because, now, you can.
Btw, I keep a diary of my experience with Salt here on my blog.

Another indispensable tool in my Devops toolbox is OpenNMS: I use it to monitor nearly everything thanks to its ability to receive inputs from just about any source (jmx, snmp, syslog, raw events over http, wmi, sql). With OpenNMS I always have everything under control (even batch jobs!) and I can infer if the release of a new app is hogging resources on the database server or whether the application server needs more ram as the developer would want. Another great feature of OpenNMS are the built-in reports: customers (still) running Nagios just drool over those!

I am now looking for a way to integrate Salt and OpenNMS so that whenever a host is configured through Salt the necessary bits are also configured on OpenNMS so that monitoring and configuration stay in sync. Maybe at Devopsdays Rome I'll find a solution.

LogStash + ElasticSearch + Kibana is a mix that I didn't had the time to deploy yet, but that I want to try out as soon as I can.

Looking forward to meet you in Rome!

Friday, September 07, 2012

Salt Diaries: keeping salt up-to-date (episode 4)



Welcome back! In our quest to simplify the configuration and automate our systems we have installed Salt on all our servers and then moved on to some basic state management. We want of course to do more sophisticated stuff with salt and we'll get to that too. But first we want to make sure that all minions are aligned to the same salt version (the latest in this case).

To do that we will add another state to our configuration which we will call (very much unimaginatively) salt.sls. The content is below:
salt-minion:
   pkg:
      - latest
   service:
      - running
      - watch:
         - pkg: salt-minion

This instructs minions to upgrade the salt-minion package on the node and, if upgraded, restart the service. To activate this state we'll edit the top.sls state file as follows:
base:
  '*':
    - ntp
    - salt

We are now ready to apply the changes. Let's start with a guinea-pig minion:
[prompt]# salt 'expendable.local' state.highstate
expendable.local:
----------
    State: - pkg
    Name:      salt-minion
    Function:  latest
        Result:    True
        Comment:   Package salt-minion upgraded to latest
        Changes:   salt-minion: {'new': '0.10.2-2.el5', 'old': '0.10.1-1.el5'}
                   salt: {'new': '0.10.2-2.el5', 'old': '0.10.1-1.el5'}
                   
----------
    State: - service
    Name:      salt-minion
    Function:  running
        Result:    True
        Comment:   Service restarted
        Changes:   salt-minion: True

Seems ok, let's check the package version (note that I turned on verbose logging):
[prompt]# salt -v 'expendable.local' pkg.version salt
Executing job with jid 20120906174807503993
-------------------------------------------

The following minions did not return:
expendable.local

Ooop! Something is not quite right...in fact the minion is up and running, it's just that the server is still using the old connection. A quick check with netstat on the minion side will confirm this. Luckily for us there's no need to login onto each minion to get Salt working again. Simply restart the master and it'll be all ready to go:
[prompt]# /etc/init.d/salt-master restart
Stopping salt-master daemon:                               [  OK  ]
Starting salt-master daemon:                               [  OK  ]
[prompt]# salt -v 'expendable.local' pkg.version salt
Executing job with jid 20120906175310393699
-------------------------------------------
{'expendable.local': '0.10.2-2.el5'}

Very good! Now we can deploy the new state to all minions with:
[prompt]# salt -v -t 60 '*' state.highstate
we'll just have to restart the master after that and we're good to go.

Minions restarting while other states are running or have to be run

One problem with the state definition given above is that the package upgrade (and consequent minion restart) could be executed while other states are also running, so to prevent that we'll edit the state again and add an order condition:
salt-minion:
   pkg:
      - latest
      - order: last
   service:
      - running
      - watch:
         - pkg: salt-minion

What about SuSE-based servers?

Since to install Salt on SuSE servers we did not use the default distro package manager we'll have to script our way out using the same tool that we used for installing Salt: pip.
The new state definition becomes this:
salt-minion:
{% if grains['os'] == 'RedHat' %}
   pkg:
      - latest
{% endif %}
{% if grains['os'] == 'SUSE' %}
   pip:
      - installed
      - name: salt
      - upgrade: True
{% endif %}
      - order: last
   service:
      - running
      - watch:
{% if grains['os'] == 'RedHat' %}
        - pkg: salt-minion
{% endif %}
{% if grains['os'] == 'SUSE' %}
        - pip: salt
{% endif %}

Update: while this is the formally correct way for upgrading SuSE it won't work because the pip state has a bug for which it won't update an already installed package. As we can see here the state returns when a package is already installed. I'm going to open a pull request to get it fixed asap.

Update March 2013: a reader notes that SaltStack rpm packages are available from the OpenSuse repo so I suggest you switch to using those.