Thoughts from the field

Gary Larizza joins Open Infrastructure Services

Gary Larizza Portrait

Open Infrastructure Services is growing! I’m excited to announce Gary Larizza, has joined Open Infrastructure Services as a Principal Consultant. Gary and I first started working together on Puppet back in 2010 in Portland, Oregon. From that first day working together I was struck by Gary’s attitude and desire to dive deep in the guts of Puppet to figure out what’s really going on. Fast forward to 2017, and I’ve found myself visiting Shit Gary Says on a daily basis while working on Puppet types and providers. Gary’s ability to assimilate complex information, distill that information into the essential bits customers value, and communicate that essential information with humor and empathy has been invaluable to me personally. A great example of this depth, humor, and empathy is, Seriously, what is this provider doing?

Gary and I both started out working in education in Ohio, though separately from one another. We were bought together in Portland, OR by two australians from the other side of the world, Nigel Kersten and James Turnbull.

Gary and I share that special bond that only comes from successfully dealing with a classroom full of computers delivered a couple of weeks before school starts with the latest and greatest Mac OS X major release, chock full of changes and new surprises.

Please check out Gary’s post, Some Other Beginning’s End on this new beginning for both of us.

Contact us with your automation and cloud infrastructure goals. We’d both love to help you handle changes faster and more confidently through automated cloud infrastructure.

Gary is also a Puppet certified consultant and a member of the Puppet Services Delivery Partner Program. We’re here to help achieve your goals whether you’re expanding your Puppet investment, upgrading to the latest version and language features, or just getting started.

Puppet Enterprise Node Classification Backup & Restore with ncio

I’m happy to announce ncio, a small command line utility to backup and restore Puppet Enterprise Node Classification data.

A customer recently needed to automate the process of backing up and restoring Puppet Enterprise. Most of the work involved in accomplishing this goal is fairly straight-forward. The majority of the Puppet configuration is stored in version control in a Control Repository and Git is incredibly easy to backup and restore. Most customers I work with don’t mind losing data stored in PuppetDB because Puppet reports, resource information, and facts are automatically re-populated as nodes check in after the system is restored. The certificates used by Puppet are also fairly straight forward to backup as they live on the local filesystem.

The only service that was difficult to backup using normal filesystem tools is the Node Classification Service. The node classifier stores critical information and as a result it needs to be backed up and restored along side all of these other resources.

The Node classification v1 API is an excellent mechanism to retrieve and restore node classification data, but the task of using the API is largely left as an exercise for the reader. In order to help with this common problem, I wrote a small utility called ncio (node classification input / ouput). If you’d like to easily get a dump of all node classification data in pretty-printed JSON, transform a backup for restoration on a different PE Monolithic Master, or restore a backup then this tool is for you.

The tool is distributed and updated on rubygems in an effort to make it easiy to install and upgrade in the future.

Here’s how to get started:


Installation is straight-forward thanks to Puppet Enterprise shipping with the gem command:

$ sudo /opt/puppetlabs/puppet/bin/gem install ncio
Successfully installed ncio-1.1.0
Parsing documentation for ncio-1.1.0
Installing ri documentation for ncio-1.1.0
Done installing documentation for ncio after 0 seconds
1 gem installed


The command runs best from a PE Monolithic Master. The tool automatically uses SSL certificates which are already present to make setup as easy as possible.

sudo -H -u pe-puppet /opt/puppetlabs/puppet/bin/ncio backup > /var/tmp/backup.json
I, [2016-06-28T19:25:55.507684 #2992]  INFO -- : Backup completed successfully!

Retrying Connections

When automating a backup from cron, it’s recommended to use the --retry-connections global option to make the backup as robust as possible. This option allows ncio to retry in certain situations, e.g. when the puppetserver service is restarting.

Restore Pipelines

The command is designed to send a backup to standard output and restore from standard input. This allows backup and restore pipelines. In this example a backup is taken on master1, transformed so that it can be restored on master2, then restored on master2:

export PATH="/opt/pupeptlabs/puppet/bin:$PATH"
ncio --uri https://master1.puppet.vm:4433/classification-api/v1 backup \
 | ncio transform --hostname master1.puppet.vm:master2.puppet.vm \
 | ncio --uri https://master2.puppet.vm:4433/classification-api/v1 restore

Command overview

Global options:

$ ncio --help
Sub Commands:

  backup     Backup Node Classification resources
  restore    Restore Node Classification resources
  transform  Transform a backup, replacing hostnames

Quick Start: On the host of the Node Classifier service, as root or pe-puppet
(to read certs and keys)

    /opt/puppetlabs/puppet/bin/ncio backup > groups.$(date +%s).json
    /opt/puppetlabs/puppet/bin/ncio restore < groups.1467151827.json


    ncio --uri https://master1.puppet.vm:4433/classification-api/v1 backup \
     | ncio transform --hostname master1.puppet.vm:master2.puppet.vm \
     | ncio --uri https://master2.puppet.vm:4433/classification-api/v1 restore

Global options: (Note, command line arguments supersede ENV vars in {}'s)
  -u, --uri=<s>                Node Classifier service uri {NCIO_URI}
                               (default: https://localhost:4433/classifier-api/v1)
  -c, --cert=<s>               White listed client SSL cert {NCIO_CERT}
                               See: (default:
  -k, --key=<s>                Client RSA key, must match certificate {NCIO_KEY} (default:
  -a, --cacert=<s>             CA Cert to authenticate the service uri {NCIO_CACERT}
                               (default: /etc/puppetlabs/puppet/ssl/certs/ca.pem)
  -l, --logto=<s>              Log file to write to or keywords STDOUT,
                               STDERR {NCIO_LOGTO} (default: STDERR)
  -s, --syslog, --no-syslog    Log to syslog (default: true)
  -v, --verbose                Set log level to INFO
  -d, --debug                  Set log level to DEBUG
  -r, --retry-connections      Retry API connections, e.g. waiting for the
                               service to come online. {NCIO_RETRY_CONNECTIONS}
  -o, --connect-timeout=<i>    Retry <i> seconds if --retry-connections=true
                               {NCIO_CONNECT_TIMEOUT} (default: 120)
  -e, --version                Print version and exit
  -h, --help                   Show this message

Backup options

$ ncio backup --help
Node Classification backup options:
  -g, --groups, --no-groups    Operate against NC groups.  See: (default: true)
  -f, --file=<s>               File to operate against {NCIO_FILE} or STDOUT, STDERR (default: STDOUT)
  -h, --help                   Show this message

Transform options

$ ncio transform --help
Node Classification transformations
Note: Currently only Monolithic (All-in-one) deployments are supported.

Transformation matches against class names assigned to groups.  Transformation
of hostnames happen against rules assigned to groups and class parameters for
matching classes.

  -c, --class-matcher=<s>    Regexp matching classes assigned to groups.
                             Passed to (default: ^puppet_enterprise)
  -i, --input=<s>            Input file path or keywords STDIN, STDOUT, STDERR (default: STDIN)
  -o, --output=<s>           Output file path or keywords STDIN, STDOUT, STDERR (default: STDOUT)
  -h, --hostname=<s+>        Replace the fully qualified domain name on the left with the
                             right, separated with a :
                             e.g --hostname
  -e, --help                 Show this message

Restore options

$ ncio restore --help
Node Classification restore options:
  -g, --groups, --no-groups    Operate against NC groups.
                               See: (default: true)
  -f, --file=<s>               File to operate against {NCIO_FILE} or STDOUT,
                               STDERR (default: STDIN)
  -h, --help                   Show this message

Hopefully you find ncio useful. If so, please let me know! If you run into any issues or would like to see additional features, please open up an issue on the project page.


Finally got a logo. It turned out to be pretty easy once I finally took the plunge and signed up for fiverr. Fairly inexpensive, and a quick 5 day turnaround on the design. I was able to take the original image files and work with them in The GNU Image Manipulation Program.

Lift Off!

3.. 2.. 1.. Lift Off!

I’m pleased to announce Open Infrastructure Services, LLC is open for business! Here’s some information about myself and the services I have available. Please email me with any questions about how I can help.

Open Infrastructure Services is founded by me, Jeff McCune, a veteran systems administrator and software developer with over 15 years of experience. Before starting my consulting business I was at Puppet Labs as a software developer working on Puppet, Facter, Puppet Server, and other internal tools like crossfader. Prior to that, I was a professional services engineer at Puppet Labs, traveling the world working with customers and the open source community on matters of system architecture, availability, security, and continuous delivery workflows.

Jeff McCune

While traveling for Puppet Labs, I also co-authored Pro Puppet, the best-selling book about how to quickly get started and then scale Puppet toward full automation.

Pro Puppet Cover Image

Before Puppet Labs I worked at Netsmart Technologies where I was responsible for our hosted SaaS datacenters. Puppet and DevOps practices played a key part of my success at Netsmart. We were able to implement SAS-70 II compliance in a matter of months using a well defined change management process, and detailed automated reports integrated with Puppet and Splunk.

Prior to Netsmart Technologies, I worked at the Mathematics Department at Ohio State University. There, I learned about automation, cfengine, started using Puppet, and fully automated our Mac OS X workstations and labs. In order to achieve full automation for PowerPC and Intel based systems, I reverse engineered Apple’s boot service discovery protocol and patched ISC DHCP to behave as an automated network boot server for Mac OS X. I presented on Puppet at Apple’s Worldwide Developer Conference.

Please contact me if you have a need for professional, intelligent and creative solutions to the infrastructure problems that are holding you back from delivering your applications.

Announcing Open Infrastructure Services, LLC

Hello, World!

I’m a little sad to say I’ve left Puppet Labs after over 5 years working for the company and working on Puppet. It was a difficult decision, but I’m pleased to announce that I’ve decided to start my own independent consulting business, Open Infrastructure Services, LLC. I’ll be helping clients with their Puppet related problem while also focusing on bringing creative solutions to bear on complex infrastructures. Please email me for more information, I’d love to hear how I could help you and your business.

company { "Open Infrastructure Services, LLC":
  ensure  => running,
  founder => "Jeff McCune",
  website => "",
  email   => "[email protected]",