Overview of Orchestration Topics
A newer version is available; see the version menu above for details.
Puppet Enterprise includes an orchestration engine (MCollective), which can invoke many kinds of action in parallel across any number of nodes. Several useful actions are available by default, and you can easily add and use new actions.
Special orchestration tasks:
General orchestration tasks:
Extending the orchestration engine:
Configuring the orchestration engine:
Note: Sometimes, newly added nodes won’t respond immediately to orchestration commands. These nodes will begin responding to orchestration commands about 30 minutes after Puppet Enterprise is installed. You can accelerate this by logging into the node and running
puppet agent --testas an admin user.
Actions and Plugins
Orchestration isn’t quite like SSH, PowerShell, or other tools meant for running arbitrary shell code in an ad-hoc way.
PE’s orchestration is built around the idea of predefined actions — it is essentially a highly parallel remote procedure call (RPC) system.
Actions are distributed in MCollective agent plugins, which are bundles of several related actions.
- Many plugins are available by default; see Built-In Orchestration Actions.
- You can extend the orchestration engine by downloading or writing new plugins and adding them to the engine with Puppet.
Invoking Actions and Filtering Nodes
The core concept of PE’s orchestration is invoking actions, in parallel, on a select group of nodes.
Typically you choose some nodes to operate on (usually with a filter that describes the desired fact values or Puppet classes), and specify an action and its arguments. The orchestration engine then runs that action on the chosen nodes, and displays any data collected during the run.
Puppet Enterprise can invoke orchestration actions in two places:
Special Interfaces: Puppet Runs and Resources
In addition to the main action invocation interfaces, Puppet Enterprise provides special interfaces for two of the most useful orchestration tasks:
- Remotely controlling the puppet agent and triggering Puppet runs
- Browsing and comparing resources across your nodes
The orchestration engine consists of the following parts:
pe-activemqservice (which runs on the puppet master server) routes all orchestration-related messages.
pe-mcollectiveservice (which runs on every agent node) listens for authorized commands and invokes actions in response. It relies on the available agent plugins for its set of possible actions.
mcocommand (available to the
peadminuser account on the puppet master server) and the live management page of the PE console can issue authorized orchestration commands to any number of nodes.
The orchestration engine in Puppet Enterprise 3.0 uses the same security model as the recommended “standard MCollective deployment.” See the “security model” section on the MCollective standard deployment page for a more detailed rundown of these security measures.
In short, all commands and replies are encrypted in transit, and only a few authorized clients are permitted to send commands. By default, PE allows orchestration commands to be sent by:
- Read/write and admin users of the PE console
- Users able to log in to the puppet master server with full administrator
If you extend orchestration by integrating external applications, you can limit the actions each application has access to by distributing policy files; see the Configuring Orchestration page for more details.
You can also allow additional users to log in as the
peadmin user on the puppet master, usually by distributing standard SSH public keys.
Every node (including all agent nodes, the puppet master server, and the console) needs the ability to initiate connections to the puppet master server over TCP port 61613. See the notes on firewall configuration in the “System Requirements” chapter of this guide for more details about PE’s network traffic.