Puppet dry run
In this blog post, renowned consultant and author John Arundel of Bitfield Consulting explains how to use Puppet's dry run mode. If you'd like to know more, check out John's bestselling Puppet Beginner's Guide!
"Is the web site down?" asked my boss. Probably the five words I least want to hear, along with "I've run over your cat" and "I'll pay you next month".
Yes, the site was down - I'd made a minor Puppet change, and assumed this would roll out without any problems. Of course, the problem with assumptions is that they make an ASS out of U in front of your BOSS. Whenever I use Puppet to make changes to production servers, I like to do it by running Puppet manually, rather than waiting for the half-hourly auto-run, and I like to do a dry run first to see what's going to happen.
Puppet's dry-run feature is a powerful tool that's often overlooked by busy sysadmins. Even if you test your Puppet manifests on a virtualised replica of your production site, which many people don't have the time or the budget to do, pushing changes out live can have unforeseen side effects which are best avoided.
To dry-run Puppet, use the --noop
flag:
# puppet apply --noop --show_diff ...
Notice: Compiled catalog for soupnazi in environment production in 4.20 seconds
Notice: /Stage[main]/Apache/File[/etc/httpd/conf/httpd.conf]/content:
--- /etc/httpd/conf/httpd.conf 2019-10-17 09:55:11.636891687 +0000
+++ /tmp/puppet-file20191217-14921-dnelpu 2019-12-17 17:54:58.938096986 +0000
@@ -1,6 +1,6 @@
# Security
ServerTokens ProductOnly
-ServerSignature Off
+ServerSignature On
TraceEnable Off
Notice: /Stage[main]/Apache/File[/etc/httpd/conf/httpd.conf]/content: current_value '{md5}5a509883fa6657eb4264222a78995435', should be '{md5}a5582fcc87e8bdca0b86e9f7ca158834' (noop)
Notice: Class[Apache]: Would have triggered 'refresh' from 1 event
Notice: Class[Apache::Service]: Would have triggered 'refresh' from 1 event
Notice: /Stage[main]/Apache::Service/Service[httpd]: Would have triggered 'refresh' from 1 event
Notice: Class[Apache::Service]: Would have triggered 'refresh' from 1 event
Notice: Stage[main]: Would have triggered 'refresh' from 4 events
Notice: Applied catalog in 32.98 seconds
Puppet's 'noop' (no-operation) mode shows you what would happen, but doesn't actually do it. As you can see, Puppet reports that it would have updated the httpd.conf
file and restarted Apache. With the additional --show_diff
flag, it helpfully shows us the change it would have made to the file:
-ServerSignature Off
+ServerSignature On
Aren't you glad you added the --noop
flag?
Puppet's dry run mode is not perfect - resource Y may fail because it requires resource X, for example, and resource X has not really been applied. Puppet isn't so clever as to model the state of the box if each resource had been really applied - which is not surprising, because that's a hard problem. Luckily, it doesn't need to be perfect: dry-running Puppet in this way will catch a lot of small but potentially disastrous errors before they happen.
Opinions differ as to how meaningful or correct a dry-run mode can be, since changing the state of the box makes things unpredictable, but I'll take avoiding a disaster over academic arguments any day.
"Thanks for getting the site back up," said my boss. "Now, something else I meant to tell you. I'll pay you next month."