mcollective installed. and now? - netways gmbh · pdf filewhat this talk is all about...
TRANSCRIPT
Just me: Thomas Gelf
Joined NETWAYS in 2010
Formerly more than 10 years:
Web (Application) Development
Routing/Switching (Bank- and ISP-Backbone)
ISP-Environment: architecturing and realizing highly available
plattforms (Mail, Hosting, SIP-Carrier, IPv6...)
Nationality: Italian. Mother tongue: German
SOUTH TYROLEAN!!!
Puppet and Netways
Puppet Labs Partner
Puppet Consulting
First provider of Puppet trainings in Germany
More: www.netways.de/training
What this talk is all about
MCollective
Quick introduction
Basic use cases
Architecture
Security
Extensions
Future ideas, suggestions
Facts about MCollective
Father: R.I.Pienaar
Age: 2.2.4 (2.3.3)
Language: Ruby
Profession: Orchestration framework
CV: http://puppetlabs.com/mcollective
MCollective components
It's soooo easy...
We send commands to a group of servers
They execute them and send replies
We need a middleware == black magic for lots of us
Honestly, there is more...
Use case I - Break the rules
It is "a puppet component" so we are allowed to use it
No more "defined state". Finally!
Use case II - puppet resource
puppet resource on steroids
Conflicts with Puppet? Can be "solved":
plugin.puppet.resource_allow_managed_resources
Use case III - Emergency button
After rolling out new Puppet modules:
STOP all Puppet Agents
Find out what went wrong
Fix it. Somehow.
Use case III - Emergency button
If this is what you are usually doing...
...please. Please. PLEASE!!! have a look at
http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests
Use case IV - Archeology
How many different <SomeApplication> versions are in productional
use?
Is this you? Then it's time for a commercial break...
Use case V - Puppet health
It's great, but...
...do not forget about the colorful GUIs.
Reporting matters!
Use case VI - puppet kick
puppet kick replacement
mco service stop puppetmco puppet runonce --batch 10 --batch-sleep 600mco puppet runall 10mco puppet (en|di)sable
Run on demand or triggered by centralized cronjob, Jenkins, GUI
(PE!)
Use case VI - puppet kick
You can combine this with ACLs
NOC: restart services in maintenance mode
Developers: everything. In THEIR environment.
Thomas: loves wildcards
"Action Policy Authorization Plugin"
Use case VII - for negative people
Double negative
I do not disagree
I haven't seen nothing
If you don't want to go nowhere...
Use case VIII - Apply specific modules
mco puppet runonce --tag somespecialmodule
You should be VERY careful with tags!
Use case IX - CMDB grooming
YES, every change is processed in our CMDB
And then applied by Puppet
Or the other way round
mco inventory
factsource = facter# VSfactsource = yamlplugin.yaml = /etc/mcollective/facts.yaml
Report handler?
Use case X - manage certificates
We all love managing Puppet certificates
mco puppet resource exec \ '/bin/rm -rf $(puppet agent --configprint ssldir)/*'
Have a look at
plugin.puppet.resource_type_(black|white)list
Filters - simple ones
-F, --wf, --with-fact osfamily=Debian-C, --wc, --with-class some::class-W, --with customer=lovely my_roles::loadbalancer
Filters - oldschool
-A, --wa, --with-agent youragentplugin-I, --wi, --with-identity certname
When delivering MCO config, do NOT trust facts
identity = <%= lookupvar('::certname') %>
Filters - the cool stuff
-S, --select FILTER-S "resource('Service[apache2]').managed = true"-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"
Based on data plugins
SECURITY MATTERS!
Please do not deploy without reading A LOT
No plaintext messages
No preshared keys
Re-use Puppet certs for the transport
Create one certificate per client to sign bodies
Start writing simple RPC Agents - harmless
module MCollective module Agent class Helloworld<RPC::Agent action 'echo' do validate :msg, String reply[:msg] = request[:msg] end end endend
Start writing simple RPC Agents - harmful
action 'exec' do validate :msg, String reply[:status] = run( request[:command], :stdout => :out, :stderr => :err ) reply[:stdout].chomp! reply[:stderr].chomp! end
action 'perlrulez' do implemented_by "/some/script.pl" end
http://docs.puppetlabs.com/mcollective/simplerpc/agents.html
Write SimpleRPC clients
require 'mcollective'include MCollective::RPCmc = rpcclient("helloworld")mc.echo(:msg => "hello world").each do |resp| printf("%-40s: %s\n", resp[:sender], resp[:data][:msg])end
This is where real orchestration starts
Bad news: you are on your own
Thomas Gelf <[email protected]>
Questions?
class puppetcamp {
package { 'questions': ensure => answered }
}