First User

Users who wish to manage nodes via MCollective need to have certificates signed by the Puppet CA. Choria includes a tool to request and manage these certificates.

In the past each user typically had a ~/.mcollective config file, with Choria this is not needed, please remove this file should it exist in your shell

Create your first user

On the node you wish to run MCollective commands from you should have configured it as a client in the previous step.

$ whoami

When you are ready request the certificate from the CA, it will store it in the default location in ~/.puppetlabs as per Puppet AIO standards.

You should not run any mco commands as root, this will produce an error.

$ mco choria request_cert

This will request a certificate from your Puppet CA, you should sign it there and once signed it will be downloaded and saved. If you cannot sign it immediately you can safely run this command again later.

By default as my username is rip the certificate that was requested will be rip.mcollective. The default Choria setup only allows *.mcollective as certificate names.

You should now be able to run mco ping and see some of your nodes:

$ mco ping                           time=55.35 ms                           time=57.67 ms                           time=59.52 ms

Most other commands will not work due to the default deny nature of the Choria so you have to set up some Authorization rules.


As my user certificate is rip.mcollective and I wish to be able to manage all aspects of my MCollective I am going to add a default allow rule to Hiera, add this to your common tier or whichever tier will select the nodes you wish to be able to manage:

  - action: "allow"
    callers: "choria=rip.mcollective"
    actions: "*"
    facts: "*"
    classes: "*"

Once this has been rolled out to your site you can go ahead and try commands like mco puppet status.

If you want to deploy further users I suggest you look at the MCollective AAA documentation section.