MCollective defines itself an orchestration framework. Once installed it will be able to show some funny tricks out of the box. However as the wording implies, a framework usually asks you to spend more than just a couple of minutes, at least if you want to get more benefit for real-world environments. This talk will introduce MCollective, quickly handle architectural and security questions and give some hints on how to start extending this framework. A few interesting examples want to inspire you to get more work done by MCollective.

1. MCollective installed. And
now?
2013-28-11 | Puppet Camp Munich

2. SELF-INTRODUCTION

3. Just me: Thomas Gelf
Joined NETWAYS in 2010
Formerly more than 10 years:
Web (Application) Development
Routing/Switching (Bank- and ISP-Backbone)
ISP-Environment: architecturing and realizing highly available
plattforms (Mail, Hosting, SIP-Carrier, IPv6...)
Nationality: Italian. Mother tongue: German
SOUTH TYROLEAN!!!

4. DEVELOPERRRR!!! Since today :-)

5. Puppet and Netways
Puppet Labs Partner
Puppet Consulting
First provider of Puppet trainings in Germany
More: www.netways.de/training

6. What this talk is all about
MCollective
Quick introduction
Basic use cases
Architecture
Security
Extensions
Future ideas, suggestions

7. HANDS UP

8. INTRODUCTION

9. Facts about MCollective
Father: R.I.Pienaar
Age: 2.2.4 (2.3.3)
Language: Ruby
Profession: Orchestration framework
CV: http://puppetlabs.com/mcollective

10. MCollective components
It's soooo easy...
We send commands to a group of servers
They execute them and send replies
We need a middleware == black magic for lots of us
Honestly, there is more...

11. BASIC USE CASES

12. Use case I - Break the rules
It is "a puppet component" so we are allowed to use it
No more "defined state". Finally!

13. Use case II - puppet resource
puppet resource on steroids

14. Use case II - puppet resource
puppet resource on steroids
Conflicts with Puppet? Can be "solved":
plugin.puppet.resource_allow_managed_resources

15. Use case III - Emergency button
After rolling out new Puppet modules:
STOP all Puppet Agents
Find out what went wrong
Fix it. Somehow.

16. Use case III - Emergency button
If this is what you are usually doing...
...please. Please. PLEASE!!! have a look at
http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests

17. Use case IV - Archeology
How many different <SomeApplication> versions are in productional
use?
Is this you? Then it's time for a commercial break...

18. Puppet Enterprise

19. Use case V - Puppet health
It's great, but...
...do not forget about the colorful GUIs.
Reporting matters!

20. Use case VI - puppet kick
puppet kick replacement
mco
mco
mco
mco
service stop puppet
puppet runonce --batch 10 --batch-sleep 600
puppet runall 10
puppet (en|di)sable
Run on demand or triggered by centralized cronjob, Jenkins, GUI
(PE!)

21. Use case VI - puppet kick
You can combine this with ACLs
NOC: restart services in maintenance mode
Developers: everything. In THEIR environment.
Thomas: loves wildcards
"Action Policy Authorization Plugin"

22. Use case VII - for negative people
Double negative
I do not disagree
I haven't seen nothing
If you don't want to go nowhere...

23. Use case VII - for negative people
With Puppet, this is
--no-noop”

24. Use case VIII - Apply specific modules
mco puppet runonce --tag somespecialmodule
You should be VERY careful with tags!

25. Use case IX - CMDB grooming
YES, every change is processed in our CMDB
And then applied by Puppet
Or the other way round
mco inventory
factsource = facter
# VS
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
Report handler?

26. Use case X - manage certificates
We all love managing Puppet certificates
mco puppet resource exec
'/bin/rm -rf $(puppet agent --configprint ssldir)/*'
Have a look at
plugin.puppet.resource_type_(black|white)list

27. WE SKIPPED SOME BASIC STUFF

28. Filters - simple ones
-F, --wf, --with-fact osfamily=Debian
-C, --wc, --with-class some::class
-W, --with customer=lovely my_roles::loadbalancer

29. Filters - oldschool
-A, --wa, --with-agent youragentplugin
-I, --wi, --with-identity certname
When delivering MCO config, do NOT trust facts
identity = <%= lookupvar('::certname') %>

30. Filters - the cool stuff
-S, --select FILTER
-S "resource('Service[apache2]').managed = true"
-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"
Based on data plugins

31. SECURITY

32. SECURITY MATTERS!
puppet module install puppetlabs-mcollective
They had a reason for writing this.

33. SECURITY MATTERS!
Please do not deploy without reading A LOT
No plaintext messages
No preshared keys
Re-use Puppet certs for the transport
Create one certificate per client to sign bodies

34. IT DOESN'T STOP HERE

35. Search for plugins!
Monitoring: replace nrpe
Manage your iptables rules "live"
Handle processes

36. Read about registration...
...unless your network is your only source of truth

37. Start writing simple RPC Agents - harmless
module MCollective
module Agent
class Helloworld<RPC::Agent
action 'echo' do
validate :msg, String
reply[:msg] = request[:msg]
end
end
end
end

38. Start writing simple RPC Agents - harmful
action 'exec' do
validate :msg, String
reply[:status] = run(
request[:command], :stdout => :out, :stderr => :err
)
reply[:stdout].chomp!
reply[:stderr].chomp!
end
action 'perlrulez' do
implemented_by "/some/script.pl"
end
http://docs.puppetlabs.com/mcollective/simplerpc/agents.html

39. Write SimpleRPC clients
require 'mcollective'
include MCollective::RPC
mc = rpcclient("helloworld")
mc.echo(:msg => "hello world").each do |resp|
printf("%-40s: %sn", resp[:sender], resp[:data][:msg])
end
This is where real orchestration starts
Bad news: you are on your own

40. LAB

41. Thank you for your attention!

42. Questions?
class puppetcamp {
package { 'questions':
ensure => answered
}
}
Thomas Gelf <thomas.gelf@netways.de>