For those of you who attended my talk yesterday at PSU MacAdmins on Managing Macs with Puppet, here are are my slides and all of the code and servers used are up on grahamgilbert/puppet_psu_2013 on GitHub. Please comment, email me or catch me on the twitter if you have any questions about any of this. Hopefully the video will be up soon, so those of you who weren’t there to laugh at the guy with the funny accent can see me dealing with internet fails and my obscure British sit-com references. ...

At work, we’ve recently changed how we build our bootstrap package to having the main code that connects a Mac to our Puppet infrastructure pulled down from GitHub when the client boots up for the first time. Why? This might sound like madness to you. Why would anyone want to do this? We had two main issues to solve: I got sick of rebuilding our images every time our bootstrap script changed. Our engineers got sick of downloading the latest version of our package every time they thin / no-imaged a Mac. Why would our script change so much? In our case, it is to install the latest versions of Puppet and Facter. This isn’t strictly necessary, as we update Puppet and Facter with Munki, but occasionally there will be something in our Puppet config that requires a specific version - for example, when we started configuring usernames on 10.8 Macs with Puppet, the salt parameter was introduced. This required Puppet 3.0.2-ish or higher - which meant that any NetRestore image or old package that contained a version of Puppet lower than this would fail, and the engineer on site was in for a world of pain. ...

Facter is what gives Puppet it’s brains. It collects information about the computer it is run on and then passes it to the Puppet Master for use in manifests and can optionally be stored. I know, it doesn’t sound like the most earth shattering revelation of all time, but stop for a moment. Every time your current scripts need to target a specific OS version or a machine with a certain bit of hardware, you need to code it directly into the script. If the method of extracting that information changes, you need to modify every single script that uses that method. With Facter, you’re editing one file, which is always up to date on the client. Anyway, that’s enough waffle from me. Let’s get started. ...

We’ve made quite a bit of progress with our Puppet install. We’ve already made Puppet do something useful with setting up an admin user, but let’s get back to being lazy - let’s get someone else to write the code. Before reading this post, you really need to read part 1, part 2 and part 3 of the series. Modules are little pre-built bits of Puppet code. They’re a good example of Puppet’s philosophy of convention over configuration - Puppet will assume your modules follow a set pattern. We’ll be using two of the available folders in modules today: files and manifests. Files are static files that Puppet will copy over to our client machine, and manifests will contain the Puppet code we’ve previously been putting into /etc/puppet/manifests/site.pp - whilst it’s been easy to put code into this file, it can become unwieldy when you have a few nodes to manage. There are also loads of pre-built modules on the Puppet Forge - it’s one of these modules we’ll be using today. ...

In this post, we’ll do something pretty much all Mac admins will need to do - set up their admin user. Bust first, a little housekeeping. Before reading this post, you really need to read part 1, part 2 and most importantly my post on building a Puppet Master with Vagrant. The Puppet Labs provided VM won’t cut it here, we need the latest version of Puppet on our Master. If you are using the same Mac / OS X VM that was previously hooked up to the Puppet Master VM, you will need to run the following command on the client - don’t worry, it will get new certificates from your very own Puppet Master: ...

Puppet is awesome. Until you deploy some code that worked locally, but for some reason didn’t when you put it onto your Puppet Master. Whoops. So, you need a testing setup. But Puppet can take a while to keep configuring. Which is where Vagrant comes in. It it a tool which allows you to build virtual machines automatically (currently only with VirtualBox, but VMWare Fusion support is coming very soon). And the best part (for me, anyway) is that it uses Puppet to configure the VM (Puppet to configure your Puppet Master? All too meta for this time of the morning). ...

Before reading this post, you really need to read part 1 - none of this will make sense without it! Still with me? Let’s do finally do something with Puppet. SSH into your Puppet Master (if it’s IP has changed since you first did the setup, make sure you reflect this change in the Mac client’s /etc/hosts file) and navigate to /etc/puppet and list the directory’s contents: cd /etc/puppet ls -la You’ll see a few directories here - we’re interested in two today - manifests and modules. Manifests will be where you describe your nodes, and the modules are the functional Puppet code. ...

When I was first getting started, the first hurdle I had to get over was trying to work out how it would apply to what I do - manage Macs. There are plenty of resources on managing servers with Puppet, but precious little on using Puppet with OS X - so, here’s how to get started with Puppet. ...

Although it’s been blogged about over at afp548 and Rich Trouton’s blog, I’d like to introduce you all to Crypt. Crypt is a solution for enabling FileVault 2 on Macs running either 10.7 or 10.8 and securely storing those keys, using no outside infrastructure like other solutions do (Cauliflower Vest’s requirement of Google App Engine). It’s only requirement is a web server that can run a Django app (which is pretty much anything - the example setup uses Apache on Ubuntu 12, but you can use anything you want). ...

Next up in the battle of Casper vs the rest of the Mac admin toolset looking to reign supreme in the contest of software installation is Munki. Setup The setup process for a Munki server can seem to be very daunting at first if you’ve not configured a web server before. If you are happy setting one up, it’s the easiest server install you’ll ever do! Munki’s requirement of just a basic web server means it can run on literally anything (although Casper will also run on anything you’re likely to use - I’ve had both running on Windows boxes for example). ...