MCollective installed. And now? by Thomas Gelf
-
Upload
netways -
Category
Technology
-
view
824 -
download
1
description
Transcript of MCollective installed. And now? by Thomas Gelf
![Page 1: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/1.jpg)
MCollective installed. And
now?
2013-28-11 | Puppet Camp Munich
![Page 2: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/2.jpg)
SELF-INTRODUCTION
![Page 3: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/3.jpg)
Just me: Thomas Gelf
Joined NETWAYS in 2010
Formerly more than 10 years:
Web (Application) Development
Routing/Switching (Bank- and ISP-Backbone)
ISP-Environment: architecturing and realizing highly available
plattforms (Mail, Hosting, SIP-Carrier, IPv6...)
Nationality: Italian. Mother tongue: German
SOUTH TYROLEAN!!!
![Page 4: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/4.jpg)
DEVELOPERRRR!!! Since today :-)
![Page 5: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/5.jpg)
Puppet and Netways
Puppet Labs Partner
Puppet Consulting
First provider of Puppet trainings in Germany
More: www.netways.de/training
![Page 6: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/6.jpg)
What this talk is all about
MCollective
Quick introduction
Basic use cases
Architecture
Security
Extensions
Future ideas, suggestions
![Page 7: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/7.jpg)
HANDS UP
![Page 8: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/8.jpg)
INTRODUCTION
![Page 9: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/9.jpg)
Facts about MCollective
Father: R.I.Pienaar
Age: 2.2.4 (2.3.3)
Language: Ruby
Profession: Orchestration framework
CV: http://puppetlabs.com/mcollective
![Page 10: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/10.jpg)
MCollective components
It's soooo easy...
We send commands to a group of servers
They execute them and send replies
We need a middleware == black magic for lots of us
Honestly, there is more...
![Page 11: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/11.jpg)
BASIC USE CASES
![Page 12: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/12.jpg)
Use case I - Break the rules
It is "a puppet component" so we are allowed to use it
No more "defined state". Finally!
![Page 13: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/13.jpg)
Use case II - puppet resource
puppet resource on steroids
![Page 14: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/14.jpg)
Use case II - puppet resource
puppet resource on steroids
Conflicts with Puppet? Can be "solved":
plugin.puppet.resource_allow_managed_resources
![Page 15: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/15.jpg)
Use case III - Emergency button
After rolling out new Puppet modules:
STOP all Puppet Agents
Find out what went wrong
Fix it. Somehow.
![Page 16: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/16.jpg)
Use case III - Emergency button
If this is what you are usually doing...
...please. Please. PLEASE!!! have a look at
http://projects.puppetlabs.com/projects/1/wiki/Development_Writing_Tests
![Page 17: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/17.jpg)
Use case IV - Archeology
How many different <SomeApplication> versions are in productional
use?
Is this you? Then it's time for a commercial break...
![Page 18: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/18.jpg)
Puppet Enterprise
![Page 19: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/19.jpg)
Use case V - Puppet health
It's great, but...
...do not forget about the colorful GUIs.
Reporting matters!
![Page 20: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/20.jpg)
Use case VI - puppet kick
puppet kick replacement
mco service stop puppetmco puppet runonce --batch 10 --batch-sleep 600mco puppet runall 10mco puppet (en|di)sable
Run on demand or triggered by centralized cronjob, Jenkins, GUI
(PE!)
![Page 21: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/21.jpg)
Use case VI - puppet kick
You can combine this with ACLs
NOC: restart services in maintenance mode
Developers: everything. In THEIR environment.
Thomas: loves wildcards
"Action Policy Authorization Plugin"
![Page 22: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/22.jpg)
Use case VII - for negative people
Double negative
I do not disagree
I haven't seen nothing
If you don't want to go nowhere...
![Page 23: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/23.jpg)
Use case VII - for negative people
With Puppet, this is
--no-noop”
![Page 24: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/24.jpg)
Use case VIII - Apply specific modules
mco puppet runonce --tag somespecialmodule
You should be VERY careful with tags!
![Page 25: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/25.jpg)
Use case IX - CMDB grooming
YES, every change is processed in our CMDB
And then applied by Puppet
Or the other way round
mco inventory
factsource = facter# VSfactsource = yamlplugin.yaml = /etc/mcollective/facts.yaml
Report handler?
![Page 26: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/26.jpg)
Use case X - manage certificates
We all love managing Puppet certificates
mco puppet resource exec \ '/bin/rm -rf $(puppet agent --configprint ssldir)/*'
Have a look at
plugin.puppet.resource_type_(black|white)list
![Page 27: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/27.jpg)
WE SKIPPED SOME BASIC STUFF
![Page 28: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/28.jpg)
Filters - simple ones
-F, --wf, --with-fact osfamily=Debian-C, --wc, --with-class some::class-W, --with customer=lovely my_roles::loadbalancer
![Page 29: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/29.jpg)
Filters - oldschool
-A, --wa, --with-agent youragentplugin-I, --wi, --with-identity certname
When delivering MCO config, do NOT trust facts
identity = <%= lookupvar('::certname') %>
![Page 30: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/30.jpg)
Filters - the cool stuff
-S, --select FILTER-S "resource('Service[apache2]').managed = true"-S "fstat('/etc/hosts').md5=/^0c9d/ and environment=dev"
Based on data plugins
![Page 31: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/31.jpg)
SECURITY
![Page 32: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/32.jpg)
SECURITY MATTERS!
puppet module install puppetlabs-mcollective
They had a reason for writing this.
![Page 33: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/33.jpg)
SECURITY MATTERS!
Please do not deploy without reading A LOT
No plaintext messages
No preshared keys
Re-use Puppet certs for the transport
Create one certificate per client to sign bodies
![Page 34: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/34.jpg)
IT DOESN'T STOP HERE
![Page 35: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/35.jpg)
Search for plugins!
Monitoring: replace nrpe
Manage your iptables rules "live"
Handle processes
![Page 36: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/36.jpg)
Read about registration...
...unless your network is your only source of truth
![Page 37: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/37.jpg)
Start writing simple RPC Agents - harmless
module MCollective module Agent class Helloworld<RPC::Agent action 'echo' do validate :msg, String reply[:msg] = request[:msg] end end endend
![Page 38: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/38.jpg)
Start writing simple RPC Agents - harmful
action 'exec' do validate :msg, String reply[:status] = run( request[:command], :stdout => :out, :stderr => :err ) reply[:stdout].chomp! reply[:stderr].chomp! end
action 'perlrulez' do implemented_by "/some/script.pl" end
http://docs.puppetlabs.com/mcollective/simplerpc/agents.html
![Page 39: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/39.jpg)
Write SimpleRPC clients
require 'mcollective'include MCollective::RPCmc = rpcclient("helloworld")mc.echo(:msg => "hello world").each do |resp| printf("%-40s: %s\n", resp[:sender], resp[:data][:msg])end
This is where real orchestration starts
Bad news: you are on your own
![Page 40: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/40.jpg)
LAB
![Page 41: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/41.jpg)
Thank you for your attention!
![Page 42: MCollective installed. And now? by Thomas Gelf](https://reader035.fdocuments.in/reader035/viewer/2022081602/554f745cb4c905bb178b53a7/html5/thumbnails/42.jpg)
Thomas Gelf <[email protected]>
Questions?
class puppetcamp {
package { 'questions': ensure => answered }
}