pool (ActiveMQ, Redis or RabbitMQ) Client, let you interact with the nodes using “mco” Server, running on each configured node Plugins that extend functionality (data gathered, actions possible, etc)
setup Everything is done in puppet (with some help from the build-in “package”) Using the mcollective class provided by puppetlabs (and required dependancies classes Erlang and RabbitMQ), customised to store private keys in hiera-eyaml
generate janesmith > puppet cert generate johndoe > puppet cert generate mcollective-servers Copy the resulting certificates in a secure location > $libdir/ssl/certs/johndoe.pem (this will later be used by the client) > $libdir/ssl/private_keys/johndoe.pem (this will later be used by the client) > $libdir/ssl/public_keys/johndoe.pem (this will later be used by the nodes) > $libdir/ssl/*/mcollective-servers (this will be used to secure the connection with the middleware)
include ixanagios::client" include ixapuppet::debian::puppetlabsapt" include erlang" ! #Need at least Erlang-R16B for puppet SSL certs" package { 'erlang-base':" ensure => 'latest'," }" [...]
can gather data/run commands/etc Can be expanded with plugins to handle packages, service, puppet status, processes, gather data. Possible to also write your own agents to expand on functionality (most of them are a collection of ruby scripts)
middleware_ssl => true, securityprovider => 'ssl', middleware_user =>'mcollective', middleware_password => hiera('mcollective_pw'), # These are the certs for clients on client nodes # ie. either individual users certs or machine certs ssl_client_certs => 'puppet:///modules/ixamcollective/client_certs', ssl_ca_cert => '/var/lib/puppet/ssl/certs/ca.pem', # This pair allow secure communication between MQ and mcollective ssl_server_public => 'puppet:///modules/ixamcollective/certs/mcollective-servers.pem', ssl_server_private => hiera('mcollective-servers'),
Plugins are available as native package on puppetlabs repos (yum and apt). You need to restart the mcollective service to pick up new plugins package {['mcollective-puppet-common', 'mcollective-puppet-agent',]: ensure => '1.7.0-1puppetlabs1', notify => Service["mcollective"], } package {['mcollective-service-agent', 'mcollective-service-common']: ensure => present, notify => Service["mcollective"], } Alternatively packaged plugins can be set using the mcollective module: mcollective::plugin { 'puppet': package => true, } and custom plugins like so: mcollective::plugin { 'myplugin': source => 'puppet:///modules/site_mcollective/plugins', }
key pairs (if SSL is enabled). This can also be used for ACLs. To access the extra functionality, you need to install the plugins matching the plugins on your servers. You do not have to use puppet and the mcollective module to set up users….but it helps a lot.
class { '::mcollective': [...] middleware_ssl => true, securityprovider => 'ssl', ssl_ca_cert => '/var/lib/puppet/ssl/certs/ca.pem', #We don't need the private key since we'll use user certificates ssl_server_public => 'puppet:///modules/ixamcollective/certs/mcollective- servers.pem', [...] }
users: mcollective::user{"janesmith": certificate => 'puppet:///modules/ixamcollective/certs/janesmith.pem', private_key => hiera('janesmith'), } mcollective::user{"johndoe": certificate => 'puppet:///modules/ixamcollective/certs/johndoe.pem', private_key => hiera('johndoe'), } Nota: the module has been modified to use hiera lookups for the private key for users as well
'puppet': default => 'deny', } mcollective::actionpolicy::rule { 'Only Jane can be trusted to use puppet': agent => 'puppet', callerid => 'cert=janesmith', }
frconil
tsukasa_ishimaru
daitak
sashimimochi
yushin_n
oracle4engineer
foursue
kaz29
lycorptech_jp
mokocm
phaya72
shinrinakamura
lynnandtonic
colly
dougneiner
rmw
vanstee
jcasabona
smashingmag
ufuk
philnash
mongodb
rocio
iamctodd
![Middleware Finish off with some useful options: ! [...]" middleware_user](https://files.speakerdeck.com/presentations/153c42307dbe0132772e52f8716547a7/slide_8.jpg){kind=link}
