Skip to content

Instantly share code, notes, and snippets.

@Zordrak
Last active June 29, 2018 14:48
Show Gist options
  • Save Zordrak/66952cbd0508af5a3606 to your computer and use it in GitHub Desktop.
Save Zordrak/66952cbd0508af5a3606 to your computer and use it in GitHub Desktop.
mcollective configuration
collectives = mcollective
connector = activemq
direct_addressing = 1
libdir = /usr/local/libexec/mcollective:/usr/libexec/mcollective
logger_type = console
loglevel = warn
main_collective = mcollective
plugin.activemq.base64 = yes
plugin.activemq.heartbeat_interval = 30
plugin.activemq.pool.1.host = puppet.allfiled.local
plugin.activemq.pool.1.password = marionette
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = /root/.mcollective.d/credentials/certs/ca.pem
plugin.activemq.pool.1.ssl.cert = /root/.mcollective.d/credentials/certs/root.pem
plugin.activemq.pool.1.ssl.fallback = 0
plugin.activemq.pool.1.ssl.key = /root/.mcollective.d/credentials/private_keys/root.pem
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.size = 1
plugin.activemq.randomize = true
plugin.ssl_client_private = /root/.mcollective.d/credentials/private_keys/root.pem
plugin.ssl_client_public = /root/.mcollective.d/credentials/certs/root.pem
plugin.ssl_server_public = /root/.mcollective.d/credentials/certs/server_public.pem
securityprovider = ssl
# This class prepares an ActiveMQ middleware service for use by MCollective.
#
# The default parameters come from the mco_profile::params class for only one
# reason. It allows the user to OPTIONALLY use Hiera to set values in one place
# and have them propagate multiple related classes. This will only work if the
# parameters are set in Hiera. It will not work if the parameters are set from
# an ENC.
#
class mco_profile::middleware::activemq (
$memoryusage = '200 mb',
$storeusage = '1 gb',
$tempusage = '1 gb',
$console = false,
$ssl_ca_cert = $mco_profile::params::ssl_ca_cert,
$ssl_server_cert = $mco_profile::params::ssl_server_cert,
$ssl_server_private = $mco_profile::params::ssl_server_private,
$middleware_user = $mco_profile::params::middleware_user,
$middleware_password = $mco_profile::params::middleware_password,
$middleware_admin_user = $mco_profile::params::middleware_admin_user,
$middleware_admin_password = $mco_profile::params::middleware_admin_password,
$middleware_ssl_port = $mco_profile::params::middleware_ssl_port,
) inherits mco_profile::params {
# We need to know somewhat for sure exactly what configuration directory
# will be used for ActiveMQ in order to correctly build the template.
$confdir = $::osfamily ? {
'Debian' => '/etc/activemq/instances-available/mcollective',
default => '/etc/activemq',
}
# Set up and contain the ActiveMQ server using the puppetlabs/activemq
# module
class { '::activemq':
instance => 'mcollective',
server_config => template('mco_profile/activemq_template.erb'),
}
# Set up SSL configuration. Use copies of the PEM keys specified to create
# the Java keystores.
file { "${confdir}/ca.pem":
owner => 'activemq',
group => 'activemq',
mode => '0444',
source => $ssl_ca_cert,
require => Class['activemq::packages'],
}
file { "${confdir}/server_cert.pem":
owner => 'activemq',
group => 'activemq',
mode => '0444',
source => $ssl_server_cert,
require => Class['activemq::packages'],
}
file { "${confdir}/server_private.pem":
owner => 'activemq',
group => 'activemq',
mode => '0400',
source => $ssl_server_private,
require => Class['activemq::packages'],
}
java_ks { 'mcollective:truststore':
ensure => 'latest',
certificate => "${confdir}/ca.pem",
target => "${confdir}/truststore.jks",
password => 'puppet',
trustcacerts => true,
notify => Class['activemq::service'],
require => File["${confdir}/ca.pem"],
} ->
file { "${confdir}/truststore.jks":
owner => 'activemq',
group => 'activemq',
mode => '0400',
require => Class['activemq::packages'],
before => Java_ks['mcollective:keystore'],
}
java_ks { 'mcollective:keystore':
ensure => 'latest',
certificate => "${confdir}/server_cert.pem",
private_key => "${confdir}/server_private.pem",
target => "${confdir}/keystore.jks",
password => 'puppet',
trustcacerts => true,
before => Class['activemq::service'],
require => [
File["${confdir}/server_cert.pem"],
File["${confdir}/server_private.pem"],
],
} ->
file { "${confdir}/keystore.jks":
owner => 'activemq',
group => 'activemq',
mode => '0400',
require => Class['activemq::packages'],
before => Class['activemq::service'],
}
}
class mco_profile::client (
$middleware_hosts = $mco_profile::params::middleware_hosts,
$ssl_server_cert = $mco_profile::params::ssl_server_cert,
$ssl_server_private = $mco_profile::params::ssl_server_private,
$ssl_server_public = $mco_profile::params::ssl_server_public,
$ssl_ca_cert = $mco_profile::params::ssl_ca_cert,
$connector = $mco_profile::params::connector,
) {
mcollective::user { "root":
homedir => '/root',
certificate => $ssl_server_cert,
private_key => $ssl_server_private,
ssl_ca_cert => $ssl_ca_cert,
ssl_server_public => $ssl_server_public,
middleware_hosts => $middleware_host,
middleware_ssl => true,
securityprovider => 'ssl',
connector => $connector,
}
# Old Example from Source
# mcollective::user { "${::hostname}_client":
# homedir => '/root',
# certificate => $ssl_server_cert,
# private_key => $ssl_server_private,
# ssl_ca_cert => $ssl_ca_cert,
# ssl_server_public => $ssl_server_public,
# middleware_hosts => $middleware_host,
# middleware_ssl => true,
# securityprovider => 'ssl',
# connector => $connector,
# }
}
All hosts to be configured for mcollective client and server.
/root/.mcollective is identical on all hosts
puppet.example.org :: Puppet Master and Middleware Host
4ee2c3b6a2d4df140ac0d08fc1527b9a /etc/activemq/server_cert.pem
4ee2c3b6a2d4df140ac0d08fc1527b9a /etc/mcollective/server_public.pem
4ee2c3b6a2d4df140ac0d08fc1527b9a /root/.mcollective.d/credentials/certs/root.pem # plugin.ssl_client_public
4ee2c3b6a2d4df140ac0d08fc1527b9a /var/lib/puppet/ssl/certs/puppet.allfiled.local.pem
8717fca2cb36cea0abb6b08eae975474 /root/.mcollective.d/credentials/private_keys/root.pem # plugin.ssl_client_private
a142eb51e5bc8e155233c93c24b3b91b /root/.mcollective.d/credentials/certs/server_public.pem
a142eb51e5bc8e155233c93c24b3b91b /var/lib/puppet/ssl/public_keys/puppet.allfiled.local.pem
otherhost.example.org :: Random other host
0c5145f0dbbe14e76d9c49d6cfca8d38 /root/.mcollective.d/credentials/private_keys/root.pem # plugin.ssl_client_private
c5b6810023c014393626475fbf0a329c /etc/mcollective/server_public.pem
c5b6810023c014393626475fbf0a329c /root/.mcollective.d/credentials/certs/root.pem # plugin.ssl_client_public
c5b6810023c014393626475fbf0a329c /var/lib/puppet/ssl/certs/otherhost.example.org.pem
ccca429bead5cdacc3b5c08c434c5f20 /root/.mcollective.d/credentials/certs/server_public.pem
ccca429bead5cdacc3b5c08c434c5f20 /var/lib/puppet/ssl/public_keys/otherhost.example.org.pem
# This class exists solely to aggregate the set of information that tie
# together the MCollective middleware.
#
class mco_profile::params (
$main_collective = 'mcollective',
$collectives = undef,
$middleware_hosts = undef, # Overwritten by the ENC
$middleware_user = 'mcollective',
$middleware_password = 'mcollective', # Overwritten by the ENC
$middleware_ssl_port = '61613',
$ssl_server_public = "${::settings::ssldir}/public_keys/${::clientcert}.pem",
$ssl_server_private = "${::settings::ssldir}/private_keys/${::clientcert}.pem",
$ssl_server_cert = "${::settings::ssldir}/certs/${::clientcert}.pem",
$ssl_ca_cert = "${::settings::ssldir}/certs/ca.pem",
$ssl_client_certs = "puppet:///modules/mco_profile/client_certs", # MODIFIED FROM EXAMPLE
$connector = undef,
$middleware_admin_user = 'admin',
$middleware_admin_password = 'mcollective',
$rabbitmq_vhost = '/mcollective',
) {
# No resources are declared by this class. It should only be used to set
# Hiera parameters to propagate to inheriting classes.
}
classesfile = /var/lib/puppet/state/classes.txt
collectives = mcollective
connector = activemq
daemonize = 1
direct_addressing = 1
factsource = yaml
libdir = /usr/local/libexec/mcollective:/usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = info
main_collective = mcollective
plugin.actionpolicy.allow_unconfigured = 1
plugin.activemq.base64 = yes
plugin.activemq.heartbeat_interval = 30
plugin.activemq.pool.1.host = puppet.example.org
plugin.activemq.pool.1.password = marionette
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.ssl = 1
plugin.activemq.pool.1.ssl.ca = /etc/mcollective/ca.pem
plugin.activemq.pool.1.ssl.cert = /etc/mcollective/server_public.pem
plugin.activemq.pool.1.ssl.fallback = 0
plugin.activemq.pool.1.ssl.key = /etc/mcollective/server_private.pem
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.size = 1
plugin.activemq.randomize = true
plugin.rpcaudit.logfile = /var/log/mcollective-audit.log
plugin.ssl_client_cert_dir = /etc/mcollective/clients
plugin.ssl_server_private = /etc/mcollective/server_private.pem
plugin.ssl_server_public = /etc/mcollective/server_public.pem
plugin.yaml = /etc/mcollective/facts.yaml
rpcaudit = 1
rpcauditprovider = logfile
rpcauthorization = 1
rpcauthprovider = action_policy
securityprovider = ssl
# This class should be applied to all servers, and sets up the MCollective
# server. It includes its parent class "site" and uses the parameters set
# there. Inheritance is used to ensure order of evaluation and exposition of
# parameters without needing to call "include".
#
# The default parameters come from the mco_profile::params class for only one
# reason. It allows the user to OPTIONALLY use Hiera to set values in one place
# and have them propagate multiple related classes. This will only work if the
# parameters are set in Hiera. It will not work if the parameters are set from
# an ENC.
#
class mco_profile::server (
$middleware_hosts = $mco_profile::params::middleware_hosts,
$middleware_ssl_port = $mco_profile::params::middleware_ssl_port,
$middleware_user = $mco_profile::params::middleware_user,
$middleware_password = $mco_profile::params::middleware_password,
$main_collective = $mco_profile::params::main_collective,
$collectives = $mco_profile::params::collectives,
$connector = $mco_profile::params::connector,
$ssl_server_cert = $mco_profile::params::ssl_server_cert,
$ssl_server_private = $mco_profile::params::ssl_server_private,
$ssl_ca_cert = $mco_profile::params::ssl_ca_cert,
$ssl_client_certs = $mco_profile::params::ssl_client_certs,
) inherits mco_profile::params {
class { '::mcollective':
client => true,
server => true,
securityprovider => 'ssl',
middleware_ssl => true,
middleware_hosts => $middleware_hosts,
middleware_ssl_port => $middleware_ssl_port,
middleware_user => $middleware_user,
middleware_password => $middleware_password,
main_collective => $main_collective,
collectives => $collectives,
connector => $connector,
ssl_server_public => $ssl_server_cert,
ssl_server_private => $ssl_server_private,
ssl_ca_cert => $ssl_ca_cert,
ssl_client_certs => $ssl_client_certs,
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment