.fixtures.yml

@@ -8,5 +8,6 @@ fixtures:
     node_manager: 'https://github.com/WhatsARanjit/puppet-node_manager'
     apply_helpers: 'https://github.com/puppetlabs/puppetlabs-apply_helpers'
     bolt_shim: 'https://github.com/puppetlabs/puppetlabs-bolt_shim'
+    debug: 'https://github.com/nwops/puppet-debug'
   symlinks:
     "peadm": "#{source_dir}"

.gitignore

@@ -25,4 +25,5 @@
 .project
 .envrc
 /inventory.yaml
-.rerun.json
+.rerun.json
+*.tar.gz

.ruby-version

@@ -0,0 +1 @@
+2.6.5

README.md

@@ -23,3 +23,4 @@ Reference:
 * [Classification](documentation/classification.md)
 * [Architectures](documentation/architectures.md)
 * [Testing](documentation/pre_post_checks.md)
+* [Docker Based Examples](documentation/docker_examples.md)

documentation/docker_examples.md

@@ -0,0 +1,80 @@
+## Docker Based Examples
+This module provides docker compose files for the various architectures for experimentation purposes. This gives you the ability to stand up an entire PE stack in order to learn how this module and HA works. If you have docker and docker-compose you can start up a full Puppet architecture with a single command.  Please note that Puppet does not support PE on containers in production.  
+
+In order to decouple Bolt from a dev system, a special bolt container is created that will run all the bolt commands.  This is
+required to achieve maximum portability.  Should you want to run bolt commands against the PE stack you must
+first login to this bolt container via ssh, docker or docker-compose.
+
+Example: `docker-compose run --entrypoint=/bin/bash bolt`
+
+### Requirements
+To run the container based examples you will need the following requirements:
+
+2. Docker
+3. Docker compose
+4. 16GB memory, 24GB+ for XL and XL-HA architectures
+5. CPU with many cores (Tested with Core i7 6700)
+
+### Starting the example
+We have provided a provision.sh script to help making these examples simple.
+To use perform the following:
+
+1. cd spec/docker
+2. bash provision.sh
+3. select desired architecture when prompted (ie. extra-large-ha )
+4. Wait 10-20 minutes for provisioning to complete
+
+```
+Please choose a PE architecture to build: 
+1) extra-large/     3) large/           5) standard/
+2) extra-large-ha/  4) large-ha/        6) standard-ha/
+#?  
+```
+
+### Stopping the example
+In order to stop and remove the containers you will need to perform the following.
+
+1. cd spec/docker
+2. `cd <chosen architecture>` 
+3. docker-compose down
+
+### Logging into the console
+You can login to the PE Console after successful provision.  However, first you will need to 
+grab the mapped port number of the PE console.  The port numbers are mapped dynamically as to not
+cause port conflicts on your system. To see how the ports are mapped you can view them via:
+
+1. docker ps
+    ```
+    80c6f0b5525c        pe-base             "/sbin/init"        2 hours ago         Up 2 hours          0.0.0.0:32774->22/tcp, 0.0.0.0:32773->443/tcp, 0.0.0.0:32772->4433/tcp, 0.0.0.0:32771->8080/tcp, 0.0.0.0:32770->8081/tcp, 0.0.0.0:32769->8140/tcp, 0.0.0.0:32768->8443/tcp   pe-lg.puppet.vm
+    ```
+2. Note the mapped port for 443, which in this case is 32773
+3. Visit https://localhost:32773 in your browser
+4. Accept security risk (self signed cert)
+5. Login: admin/puppetlabs
+
+### Logging into any of the containers
+Ssh is running in all the containers so you can use ssh if you grab the mapped ssh port number. `ssh root@localhost -p 32774`
+
+Login: root/test
+
+You can also bypass ssh and run docker exec or docker-compose exec
+
+1. cd spec/docker/extra-large
+2. docker-compose exec pe_xl_core /bin/bash
+
+**Note:** pe_xl_core is the name of the service defined in the respective docker-compose file.
+
+This will run an interactive bash shell in the running container.
+
+### Upgrades
+There is also a upgrade.sh script that is similar to the provision.sh script.  This script will upgrade an already provisioned PE stack to the version specified in the update_params.json file.
+
+### Other notes
+1. The provision plan is not fully idempotent.
+2. Some tasks may fail when run due to resource constraints.
+3. You can rerun the provision.sh script on the same architecture without destroying the containers.  This can sometimes complete the provision process successfully. 
+4. Rerunning the provision script may result in errors due to idempotency issues with tasks and plans.
+5. Please remember you are starting the equilivent of 3-6 VMs on a single system.  
+6. You can use top to view all the processes being run in the containers.
+7. Docker will use the privilege mode option when running these examples (systemd support)
+8. Systemd is running inside these containers!  The real systemd, not the fake one.

examples/provision/extra-large-ha.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.4.0",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+  "master_replica_host": "pe-master-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+  "puppetdb_database_host": "pe-psql-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+  "puppetdb_database_replica_host": "pe-psql-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+  "compiler_hosts": [
+    "pe-compiler-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-2.us-west1-c.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

examples/provision/extra-large.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.2.4",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+
+  "puppetdb_database_host": "pe-psql-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+  "compiler_hosts": [
+    "pe-compiler-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-2.us-west1-c.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

examples/provision/large-ha.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.4.0",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+  "master_replica_host": "pe-master-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+
+
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+  "compiler_hosts": [
+    "pe-compiler-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-2.us-west1-c.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

examples/provision/large.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.4.0",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+
+
+
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+  "compiler_hosts": [
+    "pe-compiler-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-2.us-west1-c.c.reidmv-peadm.internal",
+    "pe-compiler-1830cd-3.us-west1-a.c.reidmv-peadm.internal"
+  ],
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

examples/provision/standard-ha.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.4.0",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+  "master_replica_host": "pe-master-1830cd-1.us-west1-b.c.reidmv-peadm.internal",
+
+
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+
+
+
+
+
+
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

examples/provision/standard.json

@@ -0,0 +1,19 @@
+{
+  "version": "2019.4.0",
+  "console_password": "puppetlabs",
+  "master_host": "pe-master-1830cd-0.us-west1-a.c.reidmv-peadm.internal",
+
+
+
+  "compiler_pool_address": "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal",
+
+
+
+
+
+
+  "dns_alt_names": [
+    "puppet",
+    "puppet.pe-compiler-lb-1830cd.il4.us-west1.lb.reidmv-peadm.internal"
+  ]
+}

functions/wait_until_service_ready.pp

@@ -0,0 +1,16 @@
+# A convenience function to help remember port numbers for services and handle
+# running the wait_until_service_ready task
+function peadm::wait_until_service_ready(
+  String     $service,
+  TargetSpec $target,
+) {
+  $port = case $service {
+    'orchestrator-service': { '8143' }
+    default: { '8140' }
+  }
+
+  run_task('peadm::wait_until_service_ready', $target,
+    service => $service,
+    port    => $port,
+  )
+}

manifests/setup/node_manager.pp

@@ -75,7 +75,10 @@
       parent               => 'PE Infrastructure',
       environment          => 'production',
       override_environment => false,
-      rule                 => ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_role')], 'puppet/puppetdb-database']],
+      rule                 => ['or',
+        ['and', ['=', ['trusted', 'extensions', peadm::oid('peadm_role')], 'puppet/puppetdb-database']],
+        ['=', 'name', $master_host],
+      ],
       classes              => {
         'puppet_enterprise::profile::database' => { },
       },

plans/action/install.pp

@@ -183,22 +183,22 @@
   # if a csr_attributes.yaml file is already present, the values we need are
   # merged with the existing values.
 
-  run_plan('peadm::util::insert_csr_extensions', $master_target,
-    extensions => {
+  run_plan('peadm::util::insert_csr_extension_requests', $master_target,
+    extension_requests => {
       peadm::oid('peadm_role')               => 'puppet/master',
       peadm::oid('peadm_availability_group') => 'A',
     },
   )
 
-  run_plan('peadm::util::insert_csr_extensions', $puppetdb_database_target,
-    extensions => {
+  run_plan('peadm::util::insert_csr_extension_requests', $puppetdb_database_target,
+    extension_requests => {
       peadm::oid('peadm_role')               => 'puppet/puppetdb-database',
       peadm::oid('peadm_availability_group') => 'A',
     },
   )
 
-  run_plan('peadm::util::insert_csr_extensions', $puppetdb_database_replica_target,
-    extensions => {
+  run_plan('peadm::util::insert_csr_extension_requests', $puppetdb_database_replica_target,
+    extension_requests => {
       peadm::oid('peadm_role')               => 'puppet/puppetdb-database',
       peadm::oid('peadm_availability_group') => 'B',
     },
@@ -330,7 +330,12 @@
     )
   }
 
+  # The puppetserver might be in the middle of a restart after the Puppet run,
+  # so we check the status by calling the api and ensuring the puppetserver is
+  # taking requests before proceeding.
   run_task('peadm::puppet_runonce', $master_target)
+  peadm::wait_until_service_ready('pe-master', $master_target)
+
   run_task('peadm::puppet_runonce', $all_targets - $master_target)
 
   return("Installation of Puppet Enterprise ${arch['architecture']} succeeded.")

plans/upgrade.pp

@@ -121,7 +121,7 @@
 
   # If in use, wait until orchestrator service is healthy to proceed
   if $all_targets.any |$target| { $target.protocol == 'pcp' } {
-    run_task('peadm::orchestrator_healthcheck', $master_target)
+    peadm::wait_until_service_ready('orchestrator-service', $master_target)
     wait_until_available($all_targets, wait_time => 120)
   }
 
@@ -135,7 +135,7 @@
   # The master could restart orchestration services again, in which case we
   # would have to wait for nodes to reconnect
   if $all_targets.any |$target| { $target.protocol == 'pcp' } {
-    run_task('peadm::orchestrator_healthcheck', $master_target)
+    peadm::wait_until_service_ready('orchestrator-service', $master_target)
     wait_until_available($all_targets, wait_time => 120)
   }
 

spec/docker/Dockerfile

@@ -0,0 +1,25 @@
+# In order to run this with systemd you must do one of the following
+# use  --privileged  when running the container
+# mount the volume when running the container -v /sys/fs/cgroup:/sys/fs/cgroup:ro
+# docker run –privileged -ti -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 2222:22 
+FROM centos:7
+EXPOSE 22
+ENV LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8"
+RUN echo "LANG=en_US.UTF-8" > /etc/locale.conf
+STOPSIGNAL SIGRTMIN+3
+RUN yum -y install systemd openssh openssh-server openssh-clients anacron sudo curl openssl; yum clean all;
+RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ 
+  rm -f /lib/systemd/system/multi-user.target.wants/*; \
+  rm -f /etc/systemd/system/*.wants/*; \
+  rm -f /lib/systemd/system/local-fs.target.wants/*; \
+  rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+  rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+  rm -f /lib/systemd/system/basic.target.wants/*; \
+  rm -f /lib/systemd/system/anaconda.target.wants/*; \
+  rm -rf /var/cache/yum; \
+  echo "root:test" | chpasswd; \
+  useradd -m -s /bin/bash centos && echo "centos:test" | chpasswd; \
+  ln -s '/usr/lib/systemd/system/sshd.service' '/etc/systemd/system/multi-user.target.wants/sshd.service'
+VOLUME [ “/sys/fs/cgroup” ]
+CMD /sbin/init
+# ENTRYPOINT [ "/sbin/init" ]

spec/docker/Dockerfile_bolt

@@ -0,0 +1,7 @@
+FROM puppet/puppet-bolt
+ENV LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8" LANGUAGE="en_US.UTF-8"
+RUN echo "LANG=en_US.UTF-8" > /etc/locale.conf
+RUN apt-get update && apt-get install -y ssh sudo curl; \
+   /opt/puppetlabs/bolt/bin/gem install bundler puppet-debugger -N -q
+CMD /bin/bash
+ENTRYPOINT [ "/opt/puppetlabs/bin/bolt" ]