MCollective defines itself an orchestration framework. Once installed it will be able to show some funny tricks out of the box. However as the wording implies, a framework usually asks you to spend more than just a couple of minutes, at least if you want to get more benefit for real-world environments.
This talk will introduce MCollective, quickly handle architectural and security questions and give some hints on how to start extending this framework. A few interesting examples want to inspire you to get more work done by MCollective.
3. Just me: Thomas Gelf
Joined NETWAYS in 2010
Formerly more than 10 years:
Web (Application) Development
Routing/Switching (Bank- and ISP-Backbone)
ISP-Environment: architecturing and realizing highly available
plattforms (Mail, Hosting, SIP-Carrier, IPv6...)
Nationality: Italian. Mother tongue: German
SOUTH TYROLEAN!!!
10. MCollective components
It's soooo easy...
We send commands to a group of servers
They execute them and send replies
We need a middleware == black magic for lots of us
Honestly, there is more...
12. Use case I - Break the rules
It is "a puppet component" so we are allowed to use it
No more "defined state". Finally!
13. Use case II - puppet resource
puppet resource on steroids
14. Use case II - puppet resource
puppet resource on steroids
Conflicts with Puppet? Can be "solved":
plugin.puppet.resource_allow_managed_resources
15. Use case III - Emergency button
After rolling out new Puppet modules:
STOP all Puppet Agents
Find out what went wrong
Fix it. Somehow.
16. Use case III - Emergency button
If this is what you are usually doing...
...please. Please. PLEASE!!! have a look at
http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests
17. Use case IV - Archeology
How many different <SomeApplication> versions are in productional
use?
Is this you? Then it's time for a commercial break...
19. Use case V - Puppet health
It's great, but...
...do not forget about the colorful GUIs.
Reporting matters!
20. Use case VI - puppet kick
puppet kick replacement
mco
mco
mco
mco
service stop puppet
puppet runonce --batch 10 --batch-sleep 600
puppet runall 10
puppet (en|di)sable
Run on demand or triggered by centralized cronjob, Jenkins, GUI
(PE!)
21. Use case VI - puppet kick
You can combine this with ACLs
NOC: restart services in maintenance mode
Developers: everything. In THEIR environment.
Thomas: loves wildcards
"Action Policy Authorization Plugin"
22. Use case VII - for negative people
Double negative
I do not disagree
I haven't seen nothing
If you don't want to go nowhere...
23. Use case VII - for negative people
With Puppet, this is
--no-noop”
24. Use case VIII - Apply specific modules
mco puppet runonce --tag somespecialmodule
You should be VERY careful with tags!
25. Use case IX - CMDB grooming
YES, every change is processed in our CMDB
And then applied by Puppet
Or the other way round
mco inventory
factsource = facter
# VS
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
Report handler?
26. Use case X - manage certificates
We all love managing Puppet certificates
mco puppet resource exec
'/bin/rm -rf $(puppet agent --configprint ssldir)/*'
Have a look at
plugin.puppet.resource_type_(black|white)list
29. Filters - oldschool
-A, --wa, --with-agent youragentplugin
-I, --wi, --with-identity certname
When delivering MCO config, do NOT trust facts
identity = <%= lookupvar('::certname') %>
30. Filters - the cool stuff
-S, --select FILTER
-S "resource('Service[apache2]').managed = true"
-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"
Based on data plugins
33. SECURITY MATTERS!
Please do not deploy without reading A LOT
No plaintext messages
No preshared keys
Re-use Puppet certs for the transport
Create one certificate per client to sign bodies
37. Start writing simple RPC Agents - harmless
module MCollective
module Agent
class Helloworld<RPC::Agent
action 'echo' do
validate :msg, String
reply[:msg] = request[:msg]
end
end
end
end
38. Start writing simple RPC Agents - harmful
action 'exec' do
validate :msg, String
reply[:status] = run(
request[:command], :stdout => :out, :stderr => :err
)
reply[:stdout].chomp!
reply[:stderr].chomp!
end
action 'perlrulez' do
implemented_by "/some/script.pl"
end
http://docs.puppetlabs.com/mcollective/simplerpc/agents.html
39. Write SimpleRPC clients
require 'mcollective'
include MCollective::RPC
mc = rpcclient("helloworld")
mc.echo(:msg => "hello world").each do |resp|
printf("%-40s: %sn", resp[:sender], resp[:data][:msg])
end
This is where real orchestration starts
Bad news: you are on your own