{"id":3477,"date":"2016-07-27T15:35:53","date_gmt":"2016-07-27T14:35:53","guid":{"rendered":"https:\/\/www.devco.net\/?p=3477"},"modified":"2016-07-27T16:13:25","modified_gmt":"2016-07-27T15:13:25","slug":"fix-the-mcollective-deployment-story","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2016\/07\/27\/fix-the-mcollective-deployment-story.php","title":{"rendered":"Fixing the mcollective deployment story"},"content":{"rendered":"

Getting started with MCollective has always been an adventure, you have to learn a ton of new stuff like Middleware etc. And once you get that going the docs tend to present you with a vast array of options and choices including such arcane topics like which security plugin to use while the security model chosen is entirely unique to mcollective. To get a true feeling for the horror see the official deployment guide<\/a>.<\/p>\n

This is not really a pleasant experience and probably results in many insecure or half build deployments out there – and most people just not bothering. This is of course entirely my fault, too many options with bad defaults chosen is to blame.<\/p>\n

I saw the graph of the learning curve of Eve Online and immediately always think of mcollective \ud83d\ude42 Hint: mcollective is not the WoW of orchestration tools.<\/p>\n

I am in the process of moving my machines to Puppet 4 and the old deployment methods for MCollective just did not work, everything is falling apart under the neglect the project has been experiencing. You can’t even install any plugin packages on Debian as they will nuke your entire Puppet install etc.<\/p>\n

So I figured why not take a stab at rethinking this whole thing and see what I can do, today I’ll present the outcome of that – a new Beta distribution of MCollective tailored to the Puppet 4 AIO packaging that’s very easy to get going securely.<\/p>\n

Overview<\/H3>
\nMy main goals with these plugins were that they share as much security infrastructure with Puppet as possible. This means we get a understandable model and do not need to mess around with custom CAs and certs and so forth. Focussing on AIO Puppet means I can have sane defaults that works for everyone out of the box with very limited config. The deployment guide should be a single short page.<\/p>\n

For a new user who has never used MCollective and now need certificates there should be no need to write a crazy ~\/.mcollective<\/em> file and configure a ton of SSL stuff, they should only need to do:<\/p>\n

\r\n$ mco choria request_cert\r\n<\/pre>\n
This will make a CSR, submit it to the PuppetCA and wait for it to be signed like Puppet Agent.  Once signed they can immediately start using MCollective. No config needed. No certs to distribute. Secure by default. Works with the full AAA stack by default.<\/p>\n
Sites may wish to have tighter than default security around what actions can be made, and deploying these policies should be trivial.<\/p>\n
Introducing Choria<\/H3>
\nChoria<\/a> is a suite of plugins developed specifically with the Puppet AIO user in mind.  It rewards using Puppet as designed with defaults and can yield a near zero configuration setup.  It combines with a new mcollective<\/a> module used to configure AIO based MCollective.<\/p>\n
The deployment guide<\/a> for a Choria based MCollective is a single short page<\/strong>.  The result is:<\/p>\n