## Deploying Puppet Locally

Applying Rules Locally

Puppet is usually deployed in a client-server architecture. But that's not the only way we can use Puppet. We can also use it as a stand-alone application run from the command line. 
This is common when testing new configurations.

sudo apt install puppet-master

To do this, we first have to create a file where we'll store the rules that we want to apply. In Puppet lingo, these files are called manifests and they must end with a.pp extension

vim tools.pp

package { 'htop' :
    ensure => present,
}

htop
Command 'htop' not found, but can be installed with:

sudo puppet apply -v tools.pp

htop

sudo puppet apply -v tools.pp

The catalog : is the list of rules that are generated for one specific computer once the server has evaluated all variables, conditionals, and functions. More complex sets of rules can lead to different catalogs depending on fact values.

Managing Resource Relationships

vim ntp.pp

class ntp {
    package { 'ntp':
        ensure => latest,
    }
    file { '/etc/ntp.conf':
        source => '/home/user/ntp.conf',
        replace => true,
        require => Package['ntp'],
        notify => Service['ntp'],
    }
    service { 'ntp':
        enable => true,
        ensure => running,
        require => File['/etc/ntp.conf'],
    }
}

include ntp

This is part of Puppet syntax. We write resource types in lowercase when declaring them, but capitalize them when referring to them from another resource's attributes

sudo puppet apply -v ntp.pp
vim ntp.conf
Change to google
sudo puppet apply -v ntp.pp

Organizing Your Puppet Modules

Module : is a collection of manifests and associated data.
1) Manifests : pp file
2) Files :  files that are copied into the client machines without any changes, like the ntp.conf file
3) Templates : files that are preprocessed before they've been copied into the client machines.
These templates can include values that get replaced after calculating the manifests, or sections that are only present if certain conditions are valid. 

tree modules/

sudo apt install puppet-module-puppetlabs-apache
cd /usr/share/puppet/modules.available/puppetlabs-apache/
ls -l
ls -l manifests/

cd
vim webserver.pp

include ::apache
:wq

sudo puppet apply -v webserver.pp

## Deploying Puppet to Clients

In an earlier video, we saw how to conditionally apply some rules using facts from the machines. Another way to apply different rules to different systems is to use separate node definitions.

Node : is any system where we can run a Puppet agent

When setting up Puppet, we usually have a default node definition that lists the classes that should be included for all the nodes.

node default {
    class { 'sudo': }
    class { 'ntp':
        servers => ['ntp1.example.com', 'ntp2.example.com']
    }
}

FQDN : Fully Qualified Domain Names

node webserver.example.com {
    class { 'sudo': }
    class { 'ntp':
        servers => ['ntp1.example.com', 'ntp2.example.com']
    }
    class { 'apache': }
}

site.pp : node definition

Puppet's Certificate Infrastructure

Puppet uses public key infrastructure, or PKI, to establish secure connections between the server and the clients.
There's a bunch of different types of public key technologies. The one used by Puppet is secure sockets layer or SSL.
This is the same technology used for encrypting transmissions over HTTPS. The clients use this infrastructure to check the server's identity, and the server uses it to check the client's identity, and all communication is done over an encrypted channel that uses these identities so it can't be intercepted by other parties.

But how do machines know which public keys to trust? This is where a certificate authority, or CA comes in. The CA verifies the identity of the machine and then creates a certificate stating that the public key goes with that machine

Why do we care so much about the identity of the nodes?
1) Puppet rules can sometimes include confidential information that you don't want to fall in the wrong hands
2) You want to be sure that the machine you're setting up as your web server really is your web server and not a rogue machine that just claims to have the same name.

Remember that it's better to be safe than sorry. So always take the time to authenticate your machines. 

You'll want to write a script that verifies the identity of the machines automatically for you. One way to do this is by copying a unique piece of information into the machines when they get provisioned and then use this pre-shared data as part of the certificate request. That way, your script can verify that the machines are who they claim to be without involving any humans.

sudo puppet config --section master set autosign true
ssh webserver
sudo apt install puppet
sudo puppet config set server ubuntu.example.com
sudo puppet agent -v --test

vim /etc/puppet/code/environments/production/manifests/site.pp

node webserver.example.com {
    class { 'apache':}
}

node default {}

sudo puppet agent -v --test

sudo systemctl enable puppet
sudo systemctl start puppet
sudo systemctl status puppet

## Updating Deployments

Modifying and Testing Manifests

We've done this in some of our examples where we applied the rules locally before applying them to remote machines, this approach can backfire though. Say you're trying to use puppet to change the permissions of some files on the nose locking down some paths that you don't think that your users will need. Now imagine you try out the rules on your computer and discover you made a mistake and locked yourself out.
1) Use the puppet parser validate command that checks that the syntax of the manifests is correct
2) We can also run the rules using the- - Noop parameter the name comes from no operations and it makes puppet simulate what it would do without actually doing it
3) You could use is having test machines that are used only for testing out changes. You can apply the rules there and after a puppet has run check that everything's working correctly. But again, this is a manual process and we might forget to verify something important.
4) rspec test : We can set the facts involved different values and check that the catalog ends up stating what we wanted it to

describe 'gksu', :type => :class do
    let (:facts) { { 'is_virtual' => 'false' } }
    it { should contain_package('gksu').with_ensure('latest') }
end

Safely Rolling out Changes and Validating Them

Even if you've tested the change on your computer or on a test computer and it worked just fine, it doesn't mean that the change will work correctly on all machines running in production

Production : is the parts of the infrastructure where a service is executed and served to its users.

So how can we roll out changes safely? 
The key is to always run them through a test environment first.

You could have a development environment for IT specialists to try out new Puppet rules before they even reach the test environment

So instead of pushing the changes to all nodes, we usually do it in batches.
You could have some machines with the fact that marks them as early adopters or canaries. Like the canaries that coal miners used to detect toxic gases in the mines, these nodes detect potential issues before they reach the other computers.

It's a good idea for these changes to be small and self-contained. That way, if something breaks, it's much easier to figure out where the problem was.

## Finish a Puppet Deployment

1) Install packages

cd /etc/puppet/code/environments/production/modules/packages
cat manifests/init.pp
sudo chmod 646 manifests/init.pp

class packages {

    package { 'python-requests':
        ensure => installed,
    }


}

if $facts[os][family] == "Debian" {
# Resource entry to install golang package
}

if $facts[os][family] == "Debian" {
     package { 'golang':
       ensure => installed,
     }
  }

class packages {
   package { 'python-requests':
       ensure => installed,
   }
   if $facts[os][family] == "Debian" {
     package { 'golang':
       ensure => installed,
     }
  }
}

if $facts[os][family] == "RedHat" {
  #Resource entry
}

class packages {
   package { 'python-requests':
       ensure => installed,
   }
   if $facts[os][family] == "Debian" {
     package { 'golang':
       ensure => installed,
     }
  }
   if $facts[os][family] == "RedHat" {
     package { 'nodejs':
       ensure => installed,
     }
  }
}

gcloud compute instances describe linux-instance --zone=us-central1-a --format='get(networkInterfaces[0].accessConfigs[0].natIP)'

#On linux-instance VM

sudo puppet agent -v --test
apt policy golang

2) Fetch machine information

cd /etc/puppet/code/environments/production/modules/machine_info
cat manifests/init.pp
sudo chmod 646 manifests/init.pp

class machine_info {

    file { '/tmp/machine_info.txt':
        content => template('machine_info/info.erb'),
    }


}

  if $facts[kernel] == "windows" {
       $info_path = "C:\Windows\Temp\Machine_Info.txt"
  } else {
       $info_path = "/tmp/machine_info.txt"
  }

class machine_info {
   file { '/tmp/machine_info.txt':
       content => template('machine_info/info.erb'),
   }
   if $facts[kernel] == "windows" {
       $info_path = "C:\Windows\Temp\Machine_Info.txt"
   } else {
       $info_path = "/tmp/machine_info.txt"
   }
}

   file { '/tmp/machine_info.txt':
       content => template('machine_info/info.erb'),
   }

   file { 'machine_info':
        path => $info_path,
        content => template('machine_info/info.erb'),
    }

class machine_info {
  if $facts[kernel] == "windows" {
       $info_path = "C:\Windows\Temp\Machine_Info.txt"
   } else {
       $info_path = "/tmp/machine_info.txt"
   }
 file { 'machine_info':
       path => $info_path,
       content => template('machine_info/info.erb'),
   }
}

cat templates/info.erb
sudo chmod 646 templates/info.erb
Network Interfaces: <%= @interfaces %>

Machine Information
-------------------
Disks: <%= @disks %>
Memory: <%= @memory %>
Processors: <%= @processors %>
Network Interfaces: <%= @interfaces %>
}

sudo puppet agent -v --test
cat /tmp/machine_info.txt

3) Reboot machine

sudo mkdir -p /etc/puppet/code/environments/production/modules/reboot/manifests
cd /etc/puppet/code/environments/production/modules/reboot/manifests
sudo touch init.pp
sudo nano init.pp

class reboot {
  if $facts[kernel] == "windows" {
    $cmd = "shutdown /r"
  } elsif $facts[kernel] == "Darwin" {
    $cmd = "shutdown -r now"
  } else {
    $cmd = "reboot"
  }
}

if $facts[uptime_days] > 30 {
        exec { 'reboot':
           command => $cmd,
        }
    }

class reboot {
  if $facts[kernel] == "windows" {
    $cmd = "shutdown /r"
  } elsif $facts[kernel] == "Darwin" {
    $cmd = "shutdown -r now"
  } else {
    $cmd = "reboot"
  }
  if $facts[uptime_days] > 30 {
    exec { 'reboot':
      command => $cmd,
     }
   }
}

sudo nano /etc/puppet/code/environments/production/manifests/site.pp 

node default {
   class { 'packages': }
   class { 'machine_info': }
   class { 'reboot': }
}

sudo puppet agent -v --test