Puppet Continuous Integration

By Thomas Vachon

Puppet is an amazing configuration management system as I have previously written, but one downfall is that no system exists where you check in code, it runs, and if it fails, it alerts. Continuous Integration is a very important thing to have. It saves dev and production environments from being destroyed or otherwise screwed up. After searching all over the web, I was unable to find anyone who has done a full CI system for puppet, so I developed my own.
My CI system consists of 3 parts: The Foreman, XenServer, and Git. I have a cron job which runs every 5 minutes and pulls down the latest code from the "central" git server. I have multiple people merging into this server from multiple companies, for CI was a must-have for us.

If the code on the server is newer than the code on the client, I update the code and rsync it from its staging directory into /etc/puppet on the puppetmaster.

The biggest problem with puppet is that you can't just run syntax checks against the system. Puppet is a stateful system which requires catalogs to be run against the same types of servers that exist in your target environments. My answer? Virtualization.

I have 3 VM's running (one per a "role"), on my XenServer. Each one simulates how the systems are designed, named, and used in production.

After the run is kicked off and the CI sees new changes and they are applied, you need to be able to figure out what worked, what didn't, and get alerted as to the breakage. The Foreman comes into play. The Foreman, for those who don't know, is a Web UI to Puppet reports. It can perform many other functions like complete unattended kickstart installs, but that is not what I needed it for. The Foreman runs and analyzes runtime analytics as well as states. If for some reason the puppet run fails on the client, it will immediately email the failure to a mailing list I have setup.

The system has been tested and I have only encountered one problem which I have opened a bug with The Foreman team on, it will not detect puppetmaster catalog compile errors.

All in all, this system will allow multiple sysadmins to be committing and working on various modules at the same time and the code to be validated in an automated fashion. Still, as a good practice as it is, a CI system should never fully replace a set of second human eyes.