Puppet: System Administration Automated

Support

Keep your Puppet manifests under version control

It's a good idea to keep your Puppet manifests and other configuration files under version control, for example Subversion or CVS. To do this, just set up the puppetmaster the way you want, and then import the whole of /etc/puppet into Subversion: 

$ svn import /etc/puppet https://www.your-svn-server-here.com/svn/puppet/trunk

You can then check out a working copy somewhere else: 

$ svn co https://www.your-svn-server-here.com/svn/puppet/trunk puppet

Edit it, then commit your changes, and update the master copy on the server: 

$ svn up /etc/puppet

The puppetmaster automatically detects that its configuration files have changed.

Remember when you create new certificates, you are modifying the puppetmaster's working copy, so you need to commit these changes every so often. This has the added benefit that if you should lose the puppetmaster server, you can easily recreate it by just checking out a copy of the puppet tree into /etc/puppet.

Using commit hooks

Commit hooks let you extend the value of Subversion (or CVS, etc) to perform error checking, stage files and even produce audit trails.

pre-commit

To catch syntax errors and other basic problems, you can use a Subversion pre-commit hook like this: 

#!/bin/sh
# SVN pre-commit hook to check Puppet syntax for .pp files
# Modified from http://mail.madstop.com/pipermail/puppet-users/2007-March/002034.html
REPOS="$1"
TXN="$2"
tmpfile=`mktemp`
export HOME=/
SVNLOOK=/usr/bin/svnlook
$SVNLOOK changed -t "$TXN" "$REPOS" | awk '{print $2}' | grep '\.pp$' | while read line
do
	$SVNLOOK cat -t "$TXN" "$REPOS" "$line" > $tmpfile
	if [ $? -ne 0 ]
	then
		echo "Warning: Failed to checkout $line" >&2
	fi
	puppet --color=false --confdir=/tmp --vardir=/tmp --parseonly --ignoreimport $tmpfile >&2
	if [ $? -ne 0 ]
	then
		echo "Puppet syntax error in $line." >&2
		exit 2
	fi
done
res=$?
rm -f $tmpfile
if [ $res -ne 0 ]
then
	exit $res
fi

post-commit

Using a post-commit hook can be handy if you want your commits to automatically be seen by puppet ... e.g. you don't have to do the last step shown above (svn up). Also, by integrating cvsspam you can provide an audit trail with nicely formatted, colored diffs.

Here's a simplified example of a post-commit that simply updates the files (previous checked-out) in /etc/puppet. 

#!/bin/sh
REPOS="$1"
REV="$2"
svn up /etc/puppet

Of course much more can be done here, but that is a nice start.