mcollective installed. and now? by thomas gelf
DESCRIPTION
MCollective defines itself an orchestration framework. Once installed it will be able to show some funny tricks out of the box. However as the wording implies, a framework usually asks you to spend more than just a couple of minutes, at least if you want to get more benefit for real-world environments. This talk will introduce MCollective, quickly handle architectural and security questions and give some hints on how to start extending this framework. A few interesting examples want to inspire you to get more work done by MCollective.TRANSCRIPT
MCollective installed. And
now?
2013-28-11 | Puppet Camp Munich
SELF-INTRODUCTION
Just me: Thomas Gelf
Joined NETWAYS in 2010
Formerly more than 10 years:
Web (Application) Development
Routing/Switching (Bank- and ISP-Backbone)
ISP-Environment: architecturing and realizing highly available
plattforms (Mail, Hosting, SIP-Carrier, IPv6...)
Nationality: Italian. Mother tongue: German
SOUTH TYROLEAN!!!
DEVELOPERRRR!!! Since today :-)
Puppet and Netways
Puppet Labs Partner
Puppet Consulting
First provider of Puppet trainings in Germany
More: www.netways.de/training
What this talk is all about
MCollective
Quick introduction
Basic use cases
Architecture
Security
Extensions
Future ideas, suggestions
HANDS UP
INTRODUCTION
Facts about MCollective
Father: R.I.Pienaar
Age: 2.2.4 (2.3.3)
Language: Ruby
Profession: Orchestration framework
CV: http://puppetlabs.com/mcollective
MCollective components
It's soooo easy...
We send commands to a group of servers
They execute them and send replies
We need a middleware == black magic for lots of us
Honestly, there is more...
BASIC USE CASES
Use case I - Break the rules
It is "a puppet component" so we are allowed to use it
No more "defined state". Finally!
Use case II - puppet resource
puppet resource on steroids
Use case II - puppet resource
puppet resource on steroids
Conflicts with Puppet? Can be "solved":
plugin.puppet.resource_allow_managed_resources
Use case III - Emergency button
After rolling out new Puppet modules:
STOP all Puppet Agents
Find out what went wrong
Fix it. Somehow.
Use case III - Emergency button
If this is what you are usually doing...
...please. Please. PLEASE!!! have a look at
http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests
Use case IV - Archeology
How many different <SomeApplication> versions are in productional
use?
Is this you? Then it's time for a commercial break...
Puppet Enterprise
Use case V - Puppet health
It's great, but...
...do not forget about the colorful GUIs.
Reporting matters!
Use case VI - puppet kick
puppet kick replacement
mco service stop puppetmco puppet runonce --batch 10 --batch-sleep 600mco puppet runall 10mco puppet (en|di)sable
Run on demand or triggered by centralized cronjob, Jenkins, GUI
(PE!)
Use case VI - puppet kick
You can combine this with ACLs
NOC: restart services in maintenance mode
Developers: everything. In THEIR environment.
Thomas: loves wildcards
"Action Policy Authorization Plugin"
Use case VII - for negative people
Double negative
I do not disagree
I haven't seen nothing
If you don't want to go nowhere...
Use case VII - for negative people
With Puppet, this is
--no-noop”
Use case VIII - Apply specific modules
mco puppet runonce --tag somespecialmodule
You should be VERY careful with tags!
Use case IX - CMDB grooming
YES, every change is processed in our CMDB
And then applied by Puppet
Or the other way round
mco inventory
factsource = facter# VSfactsource = yamlplugin.yaml = /etc/mcollective/facts.yaml
Report handler?
Use case X - manage certificates
We all love managing Puppet certificates
mco puppet resource exec \ '/bin/rm -rf $(puppet agent --configprint ssldir)/*'
Have a look at
plugin.puppet.resource_type_(black|white)list
WE SKIPPED SOME BASIC STUFF
Filters - simple ones
-F, --wf, --with-fact osfamily=Debian-C, --wc, --with-class some::class-W, --with customer=lovely my_roles::loadbalancer
Filters - oldschool
-A, --wa, --with-agent youragentplugin-I, --wi, --with-identity certname
When delivering MCO config, do NOT trust facts
identity = <%= lookupvar('::certname') %>
Filters - the cool stuff
-S, --select FILTER-S "resource('Service[apache2]').managed = true"-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"
Based on data plugins
SECURITY
SECURITY MATTERS!
puppet module install puppetlabs-mcollective
They had a reason for writing this.
SECURITY MATTERS!
Please do not deploy without reading A LOT
No plaintext messages
No preshared keys
Re-use Puppet certs for the transport
Create one certificate per client to sign bodies
IT DOESN'T STOP HERE
Search for plugins!
Monitoring: replace nrpe
Manage your iptables rules "live"
Handle processes
Read about registration...
...unless your network is your only source of truth
Start writing simple RPC Agents - harmless
module MCollective module Agent class Helloworld<RPC::Agent action 'echo' do validate :msg, String reply[:msg] = request[:msg] end end endend
Start writing simple RPC Agents - harmful
action 'exec' do validate :msg, String reply[:status] = run( request[:command], :stdout => :out, :stderr => :err ) reply[:stdout].chomp! reply[:stderr].chomp! end
action 'perlrulez' do implemented_by "/some/script.pl" end
http://docs.puppetlabs.com/mcollective/simplerpc/agents.html
Write SimpleRPC clients
require 'mcollective'include MCollective::RPCmc = rpcclient("helloworld")mc.echo(:msg => "hello world").each do |resp| printf("%-40s: %s\n", resp[:sender], resp[:data][:msg])end
This is where real orchestration starts
Bad news: you are on your own
LAB
Thank you for your attention!
Thomas Gelf <[email protected]>
Questions?
class puppetcamp {
package { 'questions': ensure => answered }
}