Bolt: Difference between revisions

Puppet Bolt supports a variety of uses cases, but one in particular is interesting for our use, masterless Puppet catalog applies. In a masterless apply rather than obtaining the catalog from the puppet master the catalog is compiled directly from the source repository. One advantage of a masterless apply is that it can offer faster feedback on code changes, since you don’t need to commit in order to apply or noop your changes against a destination host, i.e.:

# Edit
$ vi modules/example/manifests/init.pp

# Noop to see changes
$ bolt apply --noop -t node.example.com

# Commit
$ git commit -a -m 'add example module'

Other projects which support a masterless workflow:

• supply_drop

Install Directions

Install Bolt, not currently in Debian unfortunately

$ wget https://apt.puppet.com/puppet-tools-release-bullseye.deb
$ sudo dpkg -i puppet-tools-release-bullseye.deb
$ sudo apt-get update
$ sudo apt-get install puppet-bolt

Delete Bolt’s system module

This module conflicts with our system module, Upstream pull request or rename our module

$ BOLT_VERS="3.22.1"; sudo rm -rv /opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-${BOLT_VERS}/bolt-modules/system

Add Bolt config, labs-private, and supporting modules

$ cat >boltup <<EOM
#!/bin/bash

set -o errexit
set -o nounset

cat >bolt-project.yaml <<EOF
---
name: wmf
apply-settings:
  show_diff: true
hiera-config: 'hiera.yaml'
modulepath:
  - 'private/modules'
  - 'modules'
  - 'vendor_modules'
  - 'bolt/modules'
EOF

cat >inventory.yaml <<EOF
config:
  transport: ssh
  ssh:
      interpreters:
          # Use our system ruby
          rb: /usr/bin/ruby
      # Switch to root before running puppet
      run-as: root
features:
    # Do not try to install the puppet-agent
    - puppet-agent
EOF

# setup hiera
sed -E 's#/etc/puppet/##' modules/puppetmaster/files/production.hiera.yaml >hiera.yaml

# clone repos
if [[ ! -e 'private' ]]; then
    git clone git@github.com:wikimedia/labs-private.git private
fi
mkdir -p bolt/modules
if [[ ! -e 'bolt/modules/nagios_core' ]]; then
    git clone git@github.com:puppetlabs/puppetlabs-nagios_core.git bolt/modules/nagios_core
fi
if [[ ! -e 'bolt/modules/mailalias_core' ]]; then
    git clone git@github.com:puppetlabs/puppetlabs-mailalias_core.git bolt/modules/mailalias_core
fi
EOM
$ bash boltup

Usage

Noop a server

$ bolt apply --noop -t mirror1001.wikimedia.org <(cat manifests/*.pp) | tee puppet.out

Look through output

Here is a script to remove items from the output that you don't care about

#!/bin/bash
# Grep out values from a puppet or bolt console output
#
# Usage: puppet-out-grep Exim Nagios

puppet_out="${PUPPET_OUT:-puppet.out}"

# https://stackoverflow.com/a/17841619/1236063
function join_by {
	local d=${1-} f=${2-}
	if shift 2; then
		printf %s "$f" "${@/#/$d}"
	fi
}

out_ignore=("$@")
out_ignore+=('Finished' 'Compiled' 'Applied')
out_ignore_service_regex=$(join_by '|' "${out_ignore[@]}")
out_ignore+=('refresh')
out_ignore_regex=$(join_by '|' "${out_ignore[@]}")

# Grep for everything except Finished, Compiled, Applied, or refresh (and optional arguments)
grep -E 'Notice|Error' "${puppet_out}" | grep -Ev "${out_ignore_regex}" | sort | uniq

# Do a separate grep for only Service refreshes to highlight them
grep -E 'Service\[.+refresh' "${puppet_out}" | grep -Ev "${out_ignore_service_regex}" | sort | uniq

Example

$ puppet-out-grep Exim Nagios

Outstanding Issues

1. Bolt's system modules conflicts with our system module, Upstream pull request or rename our module
2. Bolt does not preserve symlinks on files with recurse and source directories, https://github.com/puppetlabs/bolt/issues/3056
3. PuppetDB queries do not work, nor do exported resources
4. acme_chief module does not work
5. Nooping a server with Bolt will take out a Puppet lock, which would block a cron based Puppet run which began after the Bolt run