MCollective installed. And now? by Thomas Gelf

MCollective installed. And

now?

2013-28-11 | Puppet Camp Munich

SELF-INTRODUCTION

Just me: Thomas Gelf

Joined NETWAYS in 2010

Formerly more than 10 years:

Web (Application) Development

Routing/Switching (Bank- and ISP-Backbone)

ISP-Environment: architecturing and realizing highly available

plattforms (Mail, Hosting, SIP-Carrier, IPv6...)

Nationality: Italian. Mother tongue: German

SOUTH TYROLEAN!!!

DEVELOPERRRR!!! Since today :-)

Puppet and Netways

Puppet Labs Partner

Puppet Consulting

First provider of Puppet trainings in Germany

More: www.netways.de/training

What this talk is all about

MCollective

Quick introduction

Basic use cases

Architecture

Security

Extensions

Future ideas, suggestions

HANDS UP

INTRODUCTION

Facts about MCollective

Father: R.I.Pienaar

Age: 2.2.4 (2.3.3)

Language: Ruby

Profession: Orchestration framework

CV: http://puppetlabs.com/mcollective

MCollective components

It's soooo easy...

We send commands to a group of servers

They execute them and send replies

We need a middleware == black magic for lots of us

Honestly, there is more...

BASIC USE CASES

Use case I - Break the rules

It is "a puppet component" so we are allowed to use it

No more "defined state". Finally!

Use case II - puppet resource

puppet resource on steroids

Use case II - puppet resource

puppet resource on steroids

Conflicts with Puppet? Can be "solved":

plugin.puppet.resource_allow_managed_resources

Use case III - Emergency button

After rolling out new Puppet modules:

STOP all Puppet Agents

Find out what went wrong

Fix it. Somehow.

Use case III - Emergency button

If this is what you are usually doing...

...please. Please. PLEASE!!! have a look at

http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests

Use case IV - Archeology

How many different <SomeApplication> versions are in productional

use?

Is this you? Then it's time for a commercial break...

Puppet Enterprise

Use case V - Puppet health

It's great, but...

...do not forget about the colorful GUIs.

Reporting matters!

Use case VI - puppet kick

puppet kick replacement

mco service stop puppetmco puppet runonce --batch 10 --batch-sleep 600mco puppet runall 10mco puppet (en|di)sable

Run on demand or triggered by centralized cronjob, Jenkins, GUI

(PE!)

Use case VI - puppet kick

You can combine this with ACLs

NOC: restart services in maintenance mode

Developers: everything. In THEIR environment.

Thomas: loves wildcards

"Action Policy Authorization Plugin"

Use case VII - for negative people

Double negative

I do not disagree

I haven't seen nothing

If you don't want to go nowhere...

Use case VII - for negative people

With Puppet, this is

--no-noop”

Use case VIII - Apply specific modules

mco puppet runonce --tag somespecialmodule

You should be VERY careful with tags!

Use case IX - CMDB grooming

YES, every change is processed in our CMDB

And then applied by Puppet

Or the other way round

mco inventory

factsource = facter# VSfactsource = yamlplugin.yaml = /etc/mcollective/facts.yaml

Report handler?

Use case X - manage certificates

We all love managing Puppet certificates

mco puppet resource exec \ '/bin/rm -rf $(puppet agent --configprint ssldir)/*'

Have a look at

plugin.puppet.resource_type_(black|white)list

WE SKIPPED SOME BASIC STUFF

Filters - simple ones

-F, --wf, --with-fact osfamily=Debian-C, --wc, --with-class some::class-W, --with customer=lovely my_roles::loadbalancer

Filters - oldschool

-A, --wa, --with-agent youragentplugin-I, --wi, --with-identity certname

When delivering MCO config, do NOT trust facts

identity = <%= lookupvar('::certname') %>

Filters - the cool stuff

-S, --select FILTER-S "resource('Service[apache2]').managed = true"-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"

Based on data plugins

SECURITY

SECURITY MATTERS!

puppet module install puppetlabs-mcollective

They had a reason for writing this.

SECURITY MATTERS!

Please do not deploy without reading A LOT

No plaintext messages

No preshared keys

Re-use Puppet certs for the transport

Create one certificate per client to sign bodies

IT DOESN'T STOP HERE

Search for plugins!

Monitoring: replace nrpe

Manage your iptables rules "live"

Handle processes

Read about registration...

...unless your network is your only source of truth

Start writing simple RPC Agents - harmless

module MCollective module Agent class Helloworld<RPC::Agent action 'echo' do validate :msg, String reply[:msg] = request[:msg] end end endend

Start writing simple RPC Agents - harmful

action 'exec' do validate :msg, String reply[:status] = run( request[:command], :stdout => :out, :stderr => :err ) reply[:stdout].chomp! reply[:stderr].chomp! end

action 'perlrulez' do implemented_by "/some/script.pl" end

http://docs.puppetlabs.com/mcollective/simplerpc/agents.html

Write SimpleRPC clients

require 'mcollective'include MCollective::RPCmc = rpcclient("helloworld")mc.echo(:msg => "hello world").each do |resp| printf("%-40s: %s\n", resp[:sender], resp[:data][:msg])end

This is where real orchestration starts

Bad news: you are on your own

LAB

Thank you for your attention!

Thomas Gelf <[email protected]>

Questions?

class puppetcamp {

package { 'questions': ensure => answered }

}