Host naming is very limited, we can only have 5 hosts in each dc.

Refactor host names so we can provision a large number of hosts in each DC without conflicts.

Not a security issue -- just a code smell.

There needs to be a README explaining how users of this project should manage the keys.

These values are currently set in inventory/group_vars

os_auth_url: xxx
os_tenant_name: xxxxx
os_tenant_id: xxx
os_net_id: xxx

The openstack rc file that is downloadable sets values for environment vars OS_AUTH_URL, OS_TENANT_ID, and OS_TENANT_NAME.

To get the logs out of Kafka and in the ElasticSearch

Before the 0.1 release is tagged, the following needs to happen in the docs:

• release in docs/conf.py needs to be set to "0.1" instead of "0.1pre"
• after merging into development into master, there will be a CHANGELOG.md and a CHANGELOG.rst. The markdown version should be removed.
• improve README.md to give general introduction and link to full documentation. (probably move it to RST too)
• diagrams of architecture

After the repo is published:

• after opening the repo, add RTD

Provide a dynamic proxy based on consul-template & haproxy or nginx

I shorted some of the variable names in the consul and registrator playbooks as a matter of personal preference.

We should define as a team if we want the short variable names of longer more descriptive and update roles / playbooks so they are uniform across the project.

consul_image: progrium/consul
consul_image_tag: latest

vs.

zookeeper_docker_image: asteris/zookeeper
zookeeper_docker_tag: latest

Define standard Ansible task names and update roles / playbooks to the standard:

A possible standard could be:

• verb noun
• all lower case
• state what is happening vs. how it is happening

Perhaps via Mesos framework

Support for multi-dc deployment is a differentiator.

Consul role supports multi-dc already.

We need to test / update the follow roles to support multi-dc:

• ZooKeeper
• Mesos
• Marathon

Instead of going through 127.0.0.0:53 -> consul:8600, let's have consul listen on port 53 and have the resolv.conf point to consul systems:

Tasks:

• update consul role to listen on host port 53 vs. 8600
• update NetworkManager configuration to use consul servers before dhcp provided servers (/etc/NetworkManager/dhclient.d?)
• remove dns settings from docker role (file: /etc/default/docker-network)
• remove dnsmasq from zookeeper systemd dependency roles/zookeeper/templates/zookeeper-service.j2
• remove dnsmasq role from site.yml
• remove dnsmasq role from vagrant.yml
• remove roles/dnsmasq
• test: Build
• test: Reboot
• test: Vagrant
• test: Single-DC
• test: Multi-DC

When a consul node is rebooted, it does not seem to remember previous manual registrations.

Deploy docs on every commit

Review playbooks in /playbooks to ensure each adds value. I added a bunch over time but maybe 1 or 2 can go now.

We should have a crypto setup script to automate all the key setup. Related to #45 and #46.

The usage would be something like this:

$ crypto-setup init
===== consul =====
----> encryption key
no encryption key found, generating into inventory/group_vars/all/all.yml

==== marathon ====
----> certificate
no certificate found, generate? [Y/n]
generating certificate...
password? []: *****
writing certificate to inventory/marathon.jks
writing password to inventory/group_vars/marathon/all.yml

----> user
use basic auth to connect? [Y/n]
username [admin]: *****
password: *****
writing user:pass to inventory/group_vars/marathon/all.yml

If an update is needed (password change, etc), the user can run crypto-setup update COMPONENT [COMPONENT...]

The following needs to be done in this script (from @stevendborrelli):

• mesos leader/follower credentials
• mesos --authenticate flag (if credential is set)
• mesos --authenticate_slaves flag (if credential is set)
• consul acl_master token
• consul gossip key
• marathon framework auth
• lock down mesos credentials (0600)
• ZK credentials
• ZK superuser
• single Mesos follower credential
• CA generation
• certificate generation for nginx
• certificate generation for consul
• output JSON format in setup script to pass to the extra vars argument

High level story is that we want the entire system to be well instrumented right out of the box. This will include:

• Linux host metrics
  • CPU states
    • Per core
    • Average for all cores
  • Memory
  • Disk
    • IO count
    • IO size
    • IO service time (histogram):
      • I'd like the leverage Brandon Gregs's great work in this space.
        • Example collectd metric:
          • disk.sda.block_size_kb.1 18
          • disk.sda.block_size_kb.2 2
          • disk.sda.block_size_kb.4 2
          • disk.sda.block_size_kb.8 2
          • disk.sda.block_size_kb.16 10
          • disk.sda.block_size_kb.32 2
          • disk.sda.block_size_kb.64 17
          • disk.sda.block_size_kb.128 0
          • disk.sda.block_size_kb.256 0
          • disk.sda.block_size_kb.512 0
          • disk.sda.block_size_kb.1024 0
          • disk.sda.read_time_ms.1 10
          • disk.sda.read_time_ms.2 2
          • disk.sda.read_time_ms.4 100
          • disk.sda.read_time_ms.8 12
          • disk.sda.read_time_ms.16 12
          • disk.sda.read_time_ms.32 12
          • disk.sda.read_time_ms.64 100
          • disk.sda.read_time_ms.128 0
          • disk.sda.read_time_ms.256 0
          • disk.sda.read_time_ms.512 12
          • disk.sda.read_time_ms.1024 0
          • disk.sda.read_time_ms.2048 0
          • disk.sda.read_time_ms.4096 12
          • disk.sda.read_time_ms.8192 0
          • disk.sda.read_time_ms.16384 0
    • Queue depth
  • Network
    • IO count
    • IO size
  • Users
    • Count
    • Logged in
  • Uptime
• Mesos metrics
  • https://github.com/rayrod2030/collectd-mesos
• Marathon metrics
  • https://github.com/klynch/collectd-marathon
• ZooKeeper
  • https://github.com/signalfuse/collectd-zookeeper
  • Collectd has a native ZooKeeper plugin now but it requires the c bindings and Alpine Linux does not package this collectd plugin
• Consul metrics
• Container metrics
  • Size
  • Uptime
  • CPU
  • RAM
  • Network IO
  • Disk IO
  • Disk space

This needs to be broken in to a number of smaller issues.

Current time out is 5 min, but seems like some docker image pull are taking longer than 5 min. So we may have to increase timeout further, if image pul is consistently taking longer.
cat /etc//mesos-slave/executor_registration_timeout
5mins

After spawning and provisioning an instance with vagrant up, the marathon service does not listen on 8080, and in the Consul UI, the "Service 'marathon' check" is critical.

The service is running.

-bash-4.2# curl http://127.0.0.1:8080
curl: (7) Failed connect to 127.0.0.1:8080; Connection refused
-bash-4.2# service marathon status -l
Redirecting to /bin/systemctl status  -l marathon.service
marathon.service - Marathon
   Loaded: loaded (/usr/lib/systemd/system/marathon.service; enabled)
   Active: active (running) since Wed 2015-03-04 13:37:37 UTC; 4min 31s ago
 Main PID: 876 (java)
   CGroup: /system.slice/marathon.service
           ├─ 876 java -Djava.library.path=/usr/local/lib -Djava.util.logging.SimpleFormatter.format=%2$s%5$s%6$s%n -Xmx512m -cp /usr/local/bin/marathon mesosphere.marathon.Main --zk zk://zookeeper.service.consul:2181/marathon --master zk://zookeeper.service.consul:2181/mesos
           ├─ 999 logger -p user.info -t marathon[876]
           └─1000 logger -p user.notice -t marathon[876]

Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,384] INFO Initiating client connection, connectString=zookeeper.service.consul:2181 sessionTimeout=10000 watcher=com.twitter.common.zookeeper.ZooKeeperClient$3@61526468 (org.apache.zookeeper.ZooKeeper:379)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,384] WARN Unable to connect to Zookeeper, retrying... (mesosphere.marathon.Main$:45)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Connecting to Zookeeper... (mesosphere.marathon.Main$:39)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Initiating client connection, connectString=zookeeper.service.consul:2181 sessionTimeout=10000 watcher=com.twitter.common.zookeeper.ZooKeeperClient$3@683e19c2 (org.apache.zookeeper.ZooKeeper:379)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] WARN Unable to connect to Zookeeper, retrying... (mesosphere.marathon.Main$:45)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Connecting to Zookeeper... (mesosphere.marathon.Main$:39)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Initiating client connection, connectString=zookeeper.service.consul:2181 sessionTimeout=10000 watcher=com.twitter.common.zookeeper.ZooKeeperClient$3@450d4505 (org.apache.zookeeper.ZooKeeper:379)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] WARN Unable to connect to Zookeeper, retrying... (mesosphere.marathon.Main$:45)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Connecting to Zookeeper... (mesosphere.marathon.Main$:39)
Mar 04 13:42:08 localhost.localdomain marathon[999]: [2015-03-04 13:42:08,389] INFO Initiating client connection, connectString=zookeeper.service.consul:2181 sessionTimeout=10000 watcher=com.twitter.common.zookeeper.ZooKeeperClient$3@6a2e6ead (org.apache.zookeeper.ZooKeeper:379)

I can telnet ZooKeeper:

-bash-4.2# telnet zookeeper.service.consul 2181
Trying 10.0.2.15...
Connected to zookeeper.service.consul.
Escape character is '^]'.

Every other services start correctly. I tried re-provisioning and rebooting, still no luck. The only change I made in the Vagrantfile is setting 2 CPU cores instead of 1 and assigning 4096MB of RAM instead of 1024.
I'm on MacOS X Yosemite and VirtualBox 4.3.24.

I'm on commit ddf2598.

PS: very promising project

Deploy from Atlas (TF)

This this tread for implementations: gliderlabs/logspout#35

We should add "Shipped Deployment Tag ID", Container ID, Hostname to each log/event.

After reboot, nodes are being named hostname.novalocal, which causes issues with both Marathon and Mesos.

We need to investigate how to get consistent naming lookups for the hosts.

TLS for Consul.

This is a little tricky with the current docker-consul image we're using.

Currently using 2 medium instances as marathon worked. So if I create 2 docker instance with 1 vcpu each no resources left for third.
Should we allocate GP2-Large instance instead of Medium instance for slaves.

The current consul role is trying to configure all consul hosts as servers. We need to make sure that clients are correctly configured.

changes for agents:

• remove -server from clients
• no bootstrap-expect
• remove data volume
• clean up bootstrap flags. Only one consul server should be in bootstrap mode

Assign {{ zk_id }} automatically:
e.g., https://github.com/hpcloud-mon/ansible-zookeeper/blob/master/templates/myid.j2

Validate the following are required and remove them from code base if not:

zookeeper_env: dev
zookeeper_ensemble: cluster1
zookeeper_container_name: "{{ zookeeper_service }}-{{ zookeeper_env }}-{{ zookeeper_ensemble }}-zkid{{ zk_id }}"

When we are done the inventory file should look like:

[zookeeper_servers]
host-[01:03]

vs.

[zookeeper_servers:vars]
service_tags=ensemble1

[zookeeper_servers]
host-01 zk_id=1
host-02 zk_id=2
host-03 zk_id=3

If OS_USERNAME and/or OS_PASSWORD aren't set ansible errors with a python error:

failed: [host-05 -> 127.0.0.1] => {"failed": true, "parsed": false}
Traceback (most recent call last):
  File "/Users/chris/.ansible/tmp/ansible-tmp-1424446963.22-640673646885/nova_keypair", line 1771, in <module>
    main()
  File "/Users/chris/.ansible/tmp/ansible-tmp-1424446963.22-640673646885/nova_keypair", line 105, in main
    nova.authenticate()
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 169, in wrapper
    return f(self, *args, **kwargs)
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/v1_1/client.py", line 239, in authenticate
    self.client.authenticate()
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 586, in authenticate
    auth_url = self._v2_auth(auth_url)
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 677, in _v2_auth
    return self._authenticate(url, body)
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 690, in _authenticate
    **kwargs)
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 439, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/Library/Python/2.7/site-packages/python_novaclient-2.20.0-py2.7.egg/novaclient/client.py", line 433, in request
    raise exceptions.from_response(resp, body, url, method)
novaclient.exceptions.BadRequest: object of type 'NoneType' has no len() (HTTP 400)

Repo configuration is not finding this package

Deploy https://github.com/mesos/chronos via marathon for High Availability.

Kibana 4 for viewing logs and metrics.

Needs to support authentication.
Multi-tenancy needs to be considered for hosted use-cases.

• This is a FRAMEWORK (tied to the roadmapped Elasticsearch / Logstash frameworks) however may not be configured out of the box to receive logs from the M-I platform.

The YAML standard is to have a ---\n as the file header. Some of our files don't have them.

For all roles and playbooks define and implement standards for:

• Types of tags (e.g., config, upgrade, ...)
• Naming convention for tags (e.g., config, consul-config, ...)

When defining our standard let's KISS.

Control and Compute nodes need to be 100% self maintaining. If an administrator needs to login it's a bug.

Some areas that will need attention:
- OS log rotation
- Purge old containers
- Healing after a fault

Add application load balancer for web services:

• HAProxy
• Dynamic configuration of endpoints via Consul + Consul Template
• SSL Support

Deploy kafka using https://github.com/mesos/kafka

Implement Kafka message bus

Should this run on the controller on compute nodes? It's sort of oxygen for our stack ...

Needs to be self maintaining

We need to consider security aspects

Let's use the bits from Confluent: http://confluent.io/downloads/

Bake VM image in Atlas (Packer)
- Controller
- Compute

Use terraform for provisioning VMs instead of ansible.
Keep track of hashicorp/terraform#924

Move management of user accounts and SSH keys out of Ansible and in to Consul K/V