Skip to content
Branch: master
Go to file
This branch is 1 commit ahead, 1 commit behind choria-legacy:master.

Latest commit


Failed to load latest commit information.
Latest commit message
Commit time

The Marionette Collective

This fork is only updated for security issues and bugs with its use in Puppet Enterprise. Please file bugs with PE support. For security issues, see Puppet's product security policy.

The Marionette Collective aka. mcollective is a framework to build server orchestration or parallel job execution systems.

For documentation please see


The documentation above details how MCollective works and many of its extension points.

Spec Tests

To run spec tests

bundle install
bundle exec rake test

Acceptance Tests

To run acceptance tests, see this.

Development Environment (MacOS)

Setup ActiveMQ using acceptance config:

brew install activemq
cp acceptance/files/activemq.* /usr/local/opt/activemq/libexec/conf
activemq start

ActiveMQ can later by stopped with activemq stop. ActiveMQ logs are located at /usr/local/opt/activemq/libexec/data/activemq.log.

Setup MCollective with acceptance config:

mkdir -p ~/.puppetlabs/etc/mcollective/ssl-clients
cp acceptance/files/client.* ~/.puppetlabs/etc/mcollective
cp acceptance/files/server.* ~/.puppetlabs/etc/mcollective
cp acceptance/files/ca_crt.pem ~/.puppetlabs/etc/mcollective
cp acceptance/files/client.crt ~/.puppetlabs/etc/mcollective/ssl-clients/client.pem
ln -s ~/.puppetlabs/etc/mcollective/client.cfg ~/.mcollective

Modify client.cfg to work on the local machine:

  • Change the ssl_server_public, ssl_client_private, ssl_client_public paths to point to ~/.puppetlabs/etc/mcollective/{server.crt,client.key,client.pem}.
  • Change the activemq.pool.1.ssl.{ca,cert,key} paths to ~/.puppetlabs/etc/mcollective/{ca_crt.pem,client.crt,client.key}. Note that ~ needs to be expanded to the full path. Also, that client.pem doesn't point to an actual file is intentional (I don't fully understand why).

Create server.cfg, updating <user>:

main_collective = mcollective
collectives = mcollective
logger_type = console
loglevel = info
daemonize = 0

securityprovider = ssl
plugin.ssl_server_private = /Users/<user>/.puppetlabs/etc/mcollective/server.key
plugin.ssl_server_public = /Users/<user>/.puppetlabs/etc/mcollective/server.crt
plugin.ssl_client_cert_dir = /Users/<user>/.puppetlabs/etc/mcollective/ssl-clients

connector = activemq
plugin.activemq.pool.size = 1 = activemq
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = marionette
plugin.activemq.pool.1.ssl = true = /Users/<user>/.puppetlabs/etc/mcollective/ca_crt.pem
plugin.activemq.pool.1.ssl.cert = /Users/<user>/.puppetlabs/etc/mcollective/server.crt
plugin.activemq.pool.1.ssl.key = /Users/<user>/.puppetlabs/etc/mcollective/server.key

The configuration above uses activemq as the name of the ActiveMQ broker. MCollective will enforce that the SSL certificate presented by the server matches the name it's trying to connect to. To use the configuration above, traffic to activemq must be redirected to the local host. On most machines, that can be accomplished with

sudo echo "   activemq" >> /etc/hosts

From the root of this repository, test the setup by running a server

RUBYLIB=lib bundle exec bin/mcollectived --config ~/.puppetlabs/etc/mcollective/server.cfg

and client

RUBYLIB=lib bundle exec bin/mco ping

Note that it may be useful to change the loglevel in client.cfg to debug issues with mco ping.

To enable specific plugins, you may need to set libdir in server.cfg and add plugin-specific configuration.


Please refer to this document.

You can’t perform that action at this time.