MCollective installed. And now? by Thomas Gelf


Published on

MCollective defines itself an orchestration framework. Once installed it will be able to show some funny tricks out of the box. However as the wording implies, a framework usually asks you to spend more than just a couple of minutes, at least if you want to get more benefit for real-world environments.

This talk will introduce MCollective, quickly handle architectural and security questions and give some hints on how to start extending this framework. A few interesting examples want to inspire you to get more work done by MCollective.

  • Be the first to comment

MCollective installed. And now? by Thomas Gelf

  1. 1. MCollective installed. And now? 2013-28-11 | Puppet Camp Munich
  3. 3. Just me: Thomas Gelf Joined NETWAYS in 2010 Formerly more than 10 years: Web (Application) Development Routing/Switching (Bank- and ISP-Backbone) ISP-Environment: architecturing and realizing highly available plattforms (Mail, Hosting, SIP-Carrier, IPv6...) Nationality: Italian. Mother tongue: German SOUTH TYROLEAN!!!
  4. 4. DEVELOPERRRR!!! Since today :-)
  5. 5. Puppet and Netways Puppet Labs Partner Puppet Consulting First provider of Puppet trainings in Germany More:
  6. 6. What this talk is all about MCollective Quick introduction Basic use cases Architecture Security Extensions Future ideas, suggestions
  7. 7. HANDS UP
  9. 9. Facts about MCollective Father: R.I.Pienaar Age: 2.2.4 (2.3.3) Language: Ruby Profession: Orchestration framework CV:
  10. 10. MCollective components It's soooo easy... We send commands to a group of servers They execute them and send replies We need a middleware == black magic for lots of us Honestly, there is more...
  12. 12. Use case I - Break the rules It is "a puppet component" so we are allowed to use it No more "defined state". Finally!
  13. 13. Use case II - puppet resource puppet resource on steroids
  14. 14. Use case II - puppet resource puppet resource on steroids Conflicts with Puppet? Can be "solved": plugin.puppet.resource_allow_managed_resources
  15. 15. Use case III - Emergency button After rolling out new Puppet modules: STOP all Puppet Agents Find out what went wrong Fix it. Somehow.
  16. 16. Use case III - Emergency button If this is what you are usually doing... ...please. Please. PLEASE!!! have a look at
  17. 17. Use case IV - Archeology How many different <SomeApplication> versions are in productional use? Is this you? Then it's time for a commercial break...
  18. 18. Puppet Enterprise
  19. 19. Use case V - Puppet health It's great, but... not forget about the colorful GUIs. Reporting matters!
  20. 20. Use case VI - puppet kick puppet kick replacement mco mco mco mco service stop puppet puppet runonce --batch 10 --batch-sleep 600 puppet runall 10 puppet (en|di)sable Run on demand or triggered by centralized cronjob, Jenkins, GUI (PE!)
  21. 21. Use case VI - puppet kick You can combine this with ACLs NOC: restart services in maintenance mode Developers: everything. In THEIR environment. Thomas: loves wildcards "Action Policy Authorization Plugin"
  22. 22. Use case VII - for negative people Double negative I do not disagree I haven't seen nothing If you don't want to go nowhere...
  23. 23. Use case VII - for negative people With Puppet, this is --no-noop”
  24. 24. Use case VIII - Apply specific modules mco puppet runonce --tag somespecialmodule You should be VERY careful with tags!
  25. 25. Use case IX - CMDB grooming YES, every change is processed in our CMDB And then applied by Puppet Or the other way round mco inventory factsource = facter # VS factsource = yaml plugin.yaml = /etc/mcollective/facts.yaml Report handler?
  26. 26. Use case X - manage certificates We all love managing Puppet certificates mco puppet resource exec '/bin/rm -rf $(puppet agent --configprint ssldir)/*' Have a look at plugin.puppet.resource_type_(black|white)list
  28. 28. Filters - simple ones -F, --wf, --with-fact osfamily=Debian -C, --wc, --with-class some::class -W, --with customer=lovely my_roles::loadbalancer
  29. 29. Filters - oldschool -A, --wa, --with-agent youragentplugin -I, --wi, --with-identity certname When delivering MCO config, do NOT trust facts identity = <%= lookupvar('::certname') %>
  30. 30. Filters - the cool stuff -S, --select FILTER -S "resource('Service[apache2]').managed = true" -S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev" Based on data plugins
  31. 31. SECURITY
  32. 32. SECURITY MATTERS! puppet module install puppetlabs-mcollective They had a reason for writing this.
  33. 33. SECURITY MATTERS! Please do not deploy without reading A LOT No plaintext messages No preshared keys Re-use Puppet certs for the transport Create one certificate per client to sign bodies
  35. 35. Search for plugins! Monitoring: replace nrpe Manage your iptables rules "live" Handle processes
  36. 36. Read about registration... ...unless your network is your only source of truth
  37. 37. Start writing simple RPC Agents - harmless module MCollective module Agent class Helloworld<RPC::Agent action 'echo' do validate :msg, String reply[:msg] = request[:msg] end end end end
  38. 38. Start writing simple RPC Agents - harmful action 'exec' do validate :msg, String reply[:status] = run( request[:command], :stdout => :out, :stderr => :err ) reply[:stdout].chomp! reply[:stderr].chomp! end action 'perlrulez' do implemented_by "/some/" end
  39. 39. Write SimpleRPC clients require 'mcollective' include MCollective::RPC mc = rpcclient("helloworld") mc.echo(:msg => "hello world").each do |resp| printf("%-40s: %sn", resp[:sender], resp[:data][:msg]) end This is where real orchestration starts Bad news: you are on your own
  40. 40. LAB
  41. 41. Thank you for your attention!
  42. 42. Questions? class puppetcamp { package { 'questions': ensure => answered } } Thomas Gelf <>