Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 8.0.0
- , , , ,
Tasks:
- status
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-puppet_bolt_server', '1.0.1'Learn more about managing modules with a PuppetfileDocumentation
puppet_bolt_server
This module installs and configures Bolt to use a local PuppetDB and the Puppet Communications Protocol (PCP) transport.
Table of Contents
Description
This module aims to configure a dedicated Puppet Enterprise (PE) compiler to become a Bolt server. The intention is to offload plan execution from Orchestrator on the Primary server to Bolt on the Bolt server. A compiler is ideal because it already has access to PE, Code Manager, and its local PuppetDB.
What puppet_bolt_server affects
The puppet_bolt_server module performs these activities:
- Install Bolt on the node.
- Create the
/root/.puppetlabs/etc/bolt/bolt-defaults.yamlfile with custom configuration to:- Use the PCP transport.
- Use the local PuppetDB for queries.
- Consume a Puppet token.
Dependencies
-
apply_helpers- The
puppet_bolt_serverdepends on theapply_helpersmodule, it will install helper tasks that are used by theapply()function in Bolt.
To install it, make sure to add it to the Puppetfile in your control-repo
mod 'puppetlabs-apply_helpers', '0.3.0'Note: you only need to install this module if you want to use
apply()in your plans. - The
-
taskplanWe recommend installing the
taskplanmodule. Thetaskplanmodule allows you to run a task that uses Bolt to run a plan.You can also create a task yourself or use any task that can run a bolt plan on the bolt server.
Installation
Quickstart: Use the PE console to configure the puppet_bolt_server in your existing PE server.
-
Add the puppetlabs-puppet_bolt_server to your control repo.
-
Add a new node group in the PE console:
Parent name: PE Infrastructure Group name: Bolt Server Environment: production -
Add the
puppet_bolt_serverclass to your Bolt Server node group. -
On the Rules tab, add the dedicated compiler (for running Bolt) to the group. This compiler must not be in the compiler pool for catalog compilation.
-
On the Configuration data tab, add your puppet token (sensitive string).
Class: puppet_bolt_server Parameter: puppet_token Value: '<PUPPET_TOKEN>'- We recommend creating a service user inside PE RBAC and choosing an appropriate lifetime for its token.
- Use this command to generate a token with a one-year lifetime:
puppet access login --lifetime 1y
-
Commit your changes.
-
Run Puppet on the Bolt Server node group.
Usage
After completing the installation steps, your Bolt server should have these files:
/root/.puppetlabs/etc/bolt/bolt-defaults.yaml/root/.puppetlabs/bolt/bolt-project.yaml/root/.puppetlabs/token
To test that everything is configured properly, you can run any Bolt plan that runs a PuppetDB query, such as this test plan:
# /root/Projects/local_plan/plans/test.pp
plan local_plan::test(
){
$query_results = puppetdb_query("nodes[]{}")
out::message("Hello world from the Bolt Server, query results: ${query_results}")
}
Run the test plan with:
bolt plan run local_plan::test
You should get the PuppetDB query results in the terminal. If you inspect the puppetdb-access.log, you should find a log with a call to the local PuppetDB returning a 200 OK HTTP status. For example:
$ less /var/log/puppetlabs/puppetdb/puppetdb-access.log
127.0.0.1 - - [01/Nov/2022:15:56:21 +0000] "POST /pdb/query/v4 HTTP/1.1" 200 1793 "-" "HTTPClient/1.0 (2.8.3, ruby 2.7.6 (2022-04-12))" 99 21 -
Logs
By default, this module will create the log file under /var/log/puppetlabs/bolt-server/bolt-server.log.
The log level is set to 'info' by default. For more information, please read the Bolt logs doc here
To change the log level you can go to the Bolt Server's node group, in the Classes tab add the bolt_log_level parameter as shown in the screenshot above, commit your changes and run Puppet on the node group.
Run a plan on the Bolt server
This is an overview of the internal process when you offload plan execution from your PE primary server to a Bolt server. Please note that we recommend using taskplan but it can also be a different task that starts a Bolt plan:
- Someone requests Orchestrator to run the
taskplantask on the Bolt server. - The
taskplantask runs on the Bolt server. - The task starts Bolt with the
bolt plan runcommand. - Bolt starts and runs the plan
Example 1
This example uses puppet task run to run the taskplan task on the Bolt server.
Required parameters:
- Choose one of your existing, basic plans or create one that receives a parameter (such as
message). - Use your Bolt server's certname.
From the PE primary server CLI, run:
puppet task run taskplan --params '{"plan":"<PLAN_NAME>", "params":{"message": "Hello world!"}, "debug":true}' -n <BOLT_SERVER_CERTNAME>
This triggers a taskplan task run, and the task runs the plan on the Bolt server according to the specified parameters.
This offloads plan execution from Orchestrator to a dedicated Bolt server, which alleviates CPU and memory load on the primary server.
Example 2
This example uses the Orchestrator API to trigger a task run. You can do this from any system connected to your PE primary server (over port 8143) and that has a Puppet RBAC token.
Prepare a JSON body to run taskplan task, targetting the Bolt server. For example:
# test_params.json
{
"environment" : "production",
"task" : "taskplan",
"params" : {
"plan" : "<PLAN_NAME>",
"params" : { "message": "Hello world!" },
"debug" : true
},
"scope" : {
"nodes" : ["<BOLT_SERVER_CERTNAME"]
}
}
Make sure to change the params.plan, params.params, and the scope.nodes according to your own test plan.
Use curl to trigger the Ochrestrator API and run the task:
auth_header="X-Authentication: $(puppet-access show)"
uri="https://$(puppet config print server):8143/orchestrator/v1/command/task"
curl -d "@test_params.json" --insecure --header "$auth_header" "$uri"
Limitations
puppet_bolt_serveris tested only on RHEL 7 and 8 based systems.- Requires Puppet >= 6.21.0 <= 7.20.0
- This module only supports running plans from the Production environment.
- Warning: There is no rate limit to run plans, and you need to pay attention to the VM specification since the available memory is directly related to how many concurrent plans you can run.
Recommendations
Based on the results of the load test, we know that each additional (concurrent) 50 plans require about 4 GiB to run successfully. As explained in the limitations section, in this early version puppet_bolt_server there are no limits on memory consumption, the bolt processes will continue to use more and more memory until the system becomes completely unresponsive. In our tests, we used 24 GiB of RAM but we noticed the thin margin of memory left during the test, this is dangerous since we could run out of memory.
These are the machine specs of our servers:
- 24 GiB RAM
- CPU Intel Broadwell x86/64, 6 cores
Our recommendation is to run a maximum of 200 concurrent plans, allocating 28 GiB RAM for it, this will give a bit of room in case of unexpected spikes of plans beyond 200.
For education purposes here are two charts that show how the Bolt server will behave in the scenario of running 200 concurrent plans:
Reference
Table of Contents
Classes
puppet_bolt_server: This Bolt Server module will install and configure Bolt to use the PCP protocol
Tasks
status: Returns the number of Bolt processes, and free available memory
Classes
puppet_bolt_server
This Bolt Server module will install and configure Bolt to use the PCP protocol
Examples
Basic usage
include puppet_bolt_server
Parameters
The following parameters are available in the puppet_bolt_server class:
puppet_token
Data type: Sensitive[String]
This should be a token with permissions to launch Orchestrator jobs. Generate a token with a lifetime of 1 year: puppet access login --lifetime 1y
bolt_log_level
Data type: Enum['trace', 'debug', 'info', 'warn', 'error', 'fatal']
This Enum (String) configures the log level in the bolt-project configuration file By default the log level is set to 'debug' For more information, please read the Bolt logs doc: https://puppet.com/docs/bolt/latest/logs.html#log-levels
Default value: 'info'
Tasks
status
Returns the number of Bolt processes, and free available memory
Supports noop? false
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
status
Returns the number of Bolt processes, and free available memory
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.0.1 (2023-02-01)
Fixed
v1.0.0 (2023-01-31)
* This Changelog was automatically generated by github_changelog_generator
Quality checks
We run a couple of automated scans to help you assess a module’s quality. Each module is given a score based on how well the author has formatted their code and documentation and select modules are also checked for malware using VirusTotal.
Please note, the information below is for guidance only and neither of these methods should be considered an endorsement by Puppet.
Malware scan results
The malware detection service on Puppet Forge is an automated process that identifies known malware in module releases before they’re published. It is not intended to replace your own virus scanning solution.
Learn more about malware scans- Module name:
- puppetlabs-puppet_bolt_server
- Module version:
- 1.0.1
- Scan initiated:
- February 1st 2023, 6:25:37
- Detections:
- 0 / 60
- Scan stats:
- 60 undetected
- 0 harmless
- 0 failures
- 0 timeouts
- 0 malicious
- 0 suspicious
- 14 unsupported
- Scan report:
- View the detailed scan report