You should disable any transport connector that you are not using. For example, if you have enabled SSL encryption for ActiveMQ middleware, you should comment out the unencrypted connector.

<transportConnectors>
  <!-- # disable the unencrypted connector as we are using SSL
  <transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/>
  -->
  <!-- this would be IPv4 only
  <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614"/>
  -->
  <!-- this accepts IPv4 and IPv6 both -->
  <transportConnector name="stomp+ssl" uri="stomp+ssl://[::0]:61614"/>
</transportConnectors>

If you have multiple IP addresses on the host, you may replace 0.0.0.0 or ::0 with the specific IP you’d like ActiveMQ to answer on. Remember that every server and client must be able to reach this address. Repeat if necessary for each IP separately.

<transportConnector name="stomp+nio" uri="stomp+nio://192.168.2.5:61613"/>
<transportConnector name="stomp+nio" uri="stomp+nio://[2001:DB8:6A:C0::200:5]:61613"/>

MCollective depends on the ability of both servers and clients to initiate inbound TCP sessions to the appropriate TCP port on the middleware broker. Below is a table of which ports are used for which middleware brokers:

Most Linux systems use iptables firewalls. On a Linux system you could use the following steps to add a rule before the global deny. If all of your servers will fit within a few subnets, it is advisable to limit this rule to only allow those subnets to connect:

$ sudo iptables --list --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt    source     destination
1    ACCEPT     all  --     anywhere   anywhere       state RELATED,ESTABLISHED
2    ACCEPT     icmp --     anywhere   anywhere
... Look through the output and find an appropriate line number for this rule
$ sudo ip6tables --list --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt    source     destination
1    ACCEPT     all         anywhere   anywhere       state RELATED,ESTABLISHED
2    ACCEPT     ipv6-icmp   anywhere   anywhere
...etc

Look through the output and find an appropriate line number for the new rule. Then use the following syntax to insert the rule into this location in the list:

$ sudo iptables -I INPUT 20 -m state --state NEW -p tcp \
    --source 192.168.200.0/24 --dport 61613 -j ACCEPT

$ sudo ip6tables -I INPUT 20 -m state --state NEW -p tcp \
    --source 2001:DB8:6A:C0::/24 --dport 61613 -j ACCEPT

Don’t forget to save that rule to your initial rules file. For RedHat-derived systems this can be as easy as this:

$ sudo service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
$ sudo service ip6tables save
ip6tables: Saving firewall rules to /etc/sysconfig/ip6table:[  OK  ]

Check the appendix for platform-specific instructions for other operating systems.

The broker element defines the ActiveMQ java application with whom all servers and clients communicate. This is the container which encloses all other elements we will be discussing.

<broker xmlns="http://activemq.apache.org/schema/core" useJmx="true"
  brokerName="localhost"
  schedulePeriodForDestinationPurge="60000"
  networkConnectorStartAsync="true"
>

brokerName can be any name and for a single instance the value localhost is just fine. In a Network of Brokers each broker will need to have a unique name. We’ll cover this in ActiveMQ Clusters.

schedulePeriodForDestinationPurge tells ActiveMQ to scan and identify destinations which are inactive for more than one minute. This allows the queue to be garbage collected if the server stops retrieving items from its queue, or in the case of clients, after the timeout has been reached and it stops reading from the queue.

networkConnectorStartAsync tells ActiveMQ to bring up all network connectors in parallel. This parameter only matters if you have a network of brokers, but it’s a good default to have.

MCollective works best if producer flow control is disabled, and reply queues aregarbage-collected after five minutes of inactivity. If a node hasn’t picked up items from the queue in five minutes, we should discard the requests to avoid delayed delivery.

<policyEntries>
  <!-- MCollective works best with producer flow control disabled. -->
  <policyEntry
    topic=">"
    producerFlowControl="false"
  />
  <!-- MCollective generates a reply queue for most commands.
       Garbage-collect these after five minutes to conserve memory. -->
  <policyEntry
    queue="*.reply.>"
    gcInactiveDestinations="true"
    inactiveTimoutBeforeGC="300000"
  />
</policyEntries>

The critical parts for middleware authentication are the nodes queue and the agent topics described below. These are used to deliver messages to the servers who should be acting on the requests.

To consider the marionette metaphor, these are your strings. Messages to a node’s queue will be delivered to exactly one node. Messages published to an agent’s topic will be received and processed by every mcollectived daemon which has the named agent installed.

<users>
  <authenticationUser username="admins"
    password="Broker Password"
    groups="admins,everyone"
  />
  <authenticationUser username="client"
    password="Client Password"
    groups="servers,clients,everyone"
  />
  <authenticationUser username="server"
     password="Server Password"
     groups="servers,everyone"
  />
</users>

<authorizationEntry queue=">" write="admins" read="admins" admin="admins" />
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" />

<authorizationEntry
  queue="mcollective.>"
  write="clients"
  read="clients"
  admin="clients"
/>
<authorizationEntry
  topic="mcollective.>"
  write="clients"
  read="clients"
  admin="clients"
/>

<authorizationEntry topic="mcollective.*.agent" read="servers" admin="servers" />

<authorizationEntry queue="mcollective.nodes" read="servers" admin="servers" />

Topics and Queues the Servers Write To

<authorizationEntry
  topic="mcollective.registration.agent"
  write="servers" read="servers" admin="servers"
/>

Here we allow the server nodes to create or submit data to one of the agent topics: the registration agent. This information is submitted during the server connection and when a registration request is received. More information about registration is available in Chapter 14.

<authorizationEntry
  queue="mcollective.reply.>"
  write="servers" admin="clients"
/>

This is a queue where servers send back their responses to commands. For example, if you send a command to the filemgr agent with a reply-to number 170075 then each server which matches the filter (number 3-4 below) would send a response on the queue mcollective.reply.filemgr_170075. The client would read each reply from the queue, as the diagram below shows.

Figure 8-1. Publish to a Topic, receive on a unique Queue

Tip

The writeable queues used by the servers to communicate information can be read by the clients, or by specially designed Listeners. We’ll discuss how Listeners collect feedback from the agents in Chapter 15.

A transportConnector element defines how servers and clients connect to the middleware broker over the network. The following configuration enables a STOMP protocol connection to ActiveMQ’s New I/O (NIO) transport.

<transportConnectors>
  <transportConnector
    name="stomp+nio"
    uri="stomp+nio://[::0]:61613"
  />
</transportConnectors>

All MCollective messages are carried by STOMP protocol, and the NIO interface has significantly better performance than using STOMP without NIO. At this point in the book, this is the only valid configuration.

You could of course make the IP address specific to just one interface, and you could change the TCP port used if you wanted to. In the following examples we show specific IPv4 and IPv6 addresses with TCP port 6163.

IPv4. 

    uri="stomp+nio://192.168.200.5:6163"

IPv6. 

    uri="stomp+nio://[2001:DB8:6A:C0::200:5]:6163"

In ActiveMQ Clusters you will learn how to use networkConnector elements to link to other middleware brokers.

Chapter 9 will document how to enable TLS encryption to protect the traffic between MCollective nodes and the middleware broker.

In this section we have gone through each tuning parameter in the baseline configuration used for our initial setup. The following sections will build on this baseline, showing changes which could be made to increase security or improve reliability in larger environments.

A Network of Brokers configuration is useful when you want to put ActiveMQ servers in different physical locations (e.g. different data centers) but to operate as a single consistent messaging space. Here is an example of the lines you’d need to add to both of the ActiveMQ systems to set up the linkage.

Connection accepting side. 

<plugins>
  <simpleAuthenticationPlugin>
    <users>
      <authenticationUser username="intersite"
        password="somethingYouWillNeverShare"
        groups="admins,everyone"
      />
    </users>
</plugins>
<transportConnectors>
  <transportConnector name="openwire" uri="tcp://0.0.0.0:61616" />
</transportConnectors>

Connection creating side. 

<networkConnectors>
  <networkConnector
     name="SFO-PVG"
     duplex="true"
     uri="static:(tcp://activemq.london.example.net:61616)"
     userName="intersite"
     password="somethingYouWillNeverShare</replaceable>"
  />
</networkConnectors>
<transportConnectors>
  <transportConnector name="openwire" uri="tcp://0.0.0.0:61616" />
</transportConnectors>

By putting the intersite user in the admins group it will have the ability to write to all topics and queues on the accepting ActiveMQ server. This is necessary for replication to work.

At each location you configure the client to connect to the local system. All messages will be transmitted between the two locations, thus allowing a single collective to work cleanly across sites. If you are concerned about redundancy, you can configure the client to fall over to the other sites if the local site is down.

plugin.activemq.pool.size = number of sites with their own broker
plugin.activemq.pool.1.host = site #1 broker hostname
plugin.activemq.pool.1.setting = settings for this site
plugin.activemq.pool.2.host = site #2 broker hostname
plugin.activemq.pool.2.setting = settings for this site
...etc

The Puppet module provided with this book will configure a network of brokers simply by adding more brokers to the hosts hiera parameter and providing a broker password.

mcollective::broker_password: 'openssl rand -base64 32'
mcollective::hosts:
        - site #1 broker hostname
        - site #2 broker hostname
        - site #3 broker hostname

All of the other parameters used for connecting to the brokers are assumed to be identical.

You may want to limit clients or servers to use only a local node. Each of the modules can be overridden at its own layer, so you can play with Hiera hierarchy to your heart’s content. There are two good ways to do this. The easiest is only to inform the brokers of all nodes:

mcollective::hosts:
        - site local broker hostname
mcollective::middleware::hosts:
        - site #1 broker hostname
        - site #2 broker hostname
        - site #3 broker hostname

Or you can limit the servers to a local node, and let the brokers and clients know about all nodes:

mcollective::server::hosts:
        - site local broker hostname
mcollective::hosts:
        - site #1 broker hostname
        - site #2 broker hostname
        - site #3 broker hostname

If you are looking for fast failover response at a single location, you may instead want to use a Master/Slave cluster setup. For that kind of setup you want this identical configuration on both brokers.

<plugins>
  <simpleAuthenticationPlugin>
    <users>
      <authenticationUser
        username="redundant"
        password="somethingYouWillNeverShare"
        groups="admins,everyone"
      />
    </users>
</plugins>

<transportConnectors>
  <transportConnector name="openwire" uri="tcp://0.0.0.0:61616" />
</transportConnectors>

<networkConnectors>
  <networkConnector
    uri="masterslave:(tcp://activemq1.example.net:61616,tcp://activemq2.example.net:61616)"
    userName="redundant"
    password="somethingYouWillNeverShare"
  />
</networkConnectors>

Pay special attention to the networkConnector uri here. The first host listed should be the master, and then every hostname listed after it would be slaves. Every ActiveMQ broker should have the list in the same order.

To enable the servers and clients to fail over to the slave, you will need to make the following changes to both the server and client configuration files.

plugin.activemq.pool.size   = count of all ActiveMQ brokers
plugin.activemq.pool.1.host = master broker name
all the settings for the master broker
plugin.activemq.pool.2.host = slave broker #2
all the same settings slave broker 2
plugin.activemq.pool.3.host = slave broker #3
all the same settings slave broker 3
...repeat until done

The Puppet module provided with this book supports a master/slave setup with the following Hiera parameter:

mcollective::hosts:
        - master broker hostname
        - slave broker #1 hostname
        - slave broker #2 hostname

All of the other parameters used for connecting to the brokers are assumed to be identical.

You should use SSL/TLS encryption for the links between sites. You should absolutely do this if you are connecting across the public Internet. To do this you’ll need to create both the keystore described in Anonymous TLS Security and the trustStore from Trusted TLS Servers.

Then you would adjust the ActiveMQ configuration between the sites to use the appropriate protocol:

<transportConnectors>
  <transportConnector
    name="openwire+ssl"
    uri="ssl://0.0.0.0:61617?needClientAuth=true"
  />
</transportConnectors>
<networkConnectors>
  <networkConnector
    name="SFO-PVG"
    duplex="true"
    uri="static:(ssl://activemq.siteb.example.net:61617)"
    userName="intersite"
    password="somethingYouWillNeverShare"
  />
</networkConnectors>

<sslContext>
  <sslContext
    keyStore="ssl/keystore.jks"
    keyStorePassword="somethingElseYouWillNeverShare"
    trustStore="ssl/truststore.jks"
    trustStorePassword="anotherThingYouWillNeverShare"
  >
</sslContext>

If you are using the Puppet module provided with this book you would simply set the following Hiera parameters and Puppet will do all the work for you:

mcollective::connector_ssl                  : true
mcollective::middleware::keystore_password  : 'openssl rand -base64 20'
mcollective::middleware::truststore_password: 'openssl rand -base64 20'

In this section we have reviewed two different models for multi-broker usage:

You can blend both of these options together to connect sets of Master-Slave brokers to sets at remote sites.

So what does this all mean? Here is our summary for what you can and should tune for high performance middleware:

To handle anything near a thousand connections to a single ActiveMQ server you’ll need to tune the TCP stack of the host. I’ve included some recommendations that I and others have found useful.

# More file descriptors == more open TCP connections
ulimit -Hn 8192
ulimit -Sn 8192

# Close and reuse finished TCP sessions faster
/sbin/sysctl -w net.ipv4.tcp_fin_timeout=15
/sbin/sysctl -w net.ipv4.tcp_tw_reuse=1

# Identify failed TCP links faster
/sbin/sysctl -w /proc/sys/net/ipv4/tcp_keepalive_intvl=30
/sbin/sysctl -w /proc/sys/net/ipv4/tcp_keepalive_probes=5

# Allow connection backlog of 2000 connections
# Required as STOMP clients reconnect quickly
/sbin/sysctl -w net.core.somaxconn=2000
/sbin/sysctl -w net.core.netdev_max_backlog=2000

# Increase size of TCP read and write buffers
/sbin/sysctl -w net.core.rmem_default = 256960
/sbin/sysctl -w net.core.rmem_max = 5242880
/sbin/sysctl -w net.core.wmem_default = 256960
/sbin/sysctl -w net.core.wmem_max = 5242880

# Disable timestamps
/sbin/sysctl -w net.ipv4.tcp_timestamps = 0

You may need to find the correct tuneables for non-Linux operating systems.

At the time this book went to print, Puppet Labs was providing ActiveMQ 5.8 in their repository. While working with several clients, I found ActiveMQ to work significantly better when handling large numbers of SSL/TLS clients. I created an RPM for ActiveMQ 5.9.1 for RedHat/CentOS and made it available at the following URL http://www.netconsonance.com/2014/04/activemq-5-9-1-for-centos-rhel-6/

I have provided this to Puppet Labs in Improvement CPR-32 so it might be available in the repository already. If not, you can download it from my website for evaluation.

Start by making a backup copy of activemq.xml, as your configuration will revert to the stock Puppet Labs config after installing this RPM:

$ sudo cp /etc/activemq/activemq.xml /etc/activemq/activemq.xml_5.8
$ wget -q http://www.netconsonance.com/downloads/activemq-5.9.1-1.el6.noarch.rpm
$ sudo service mcollective stop
Shutting down mcollective:                                 [  OK  ]
$ sudo service activemq stop
Stopping ActiveMQ Broker...
Stopped ActiveMQ Broker.
$ sudo yum install activemq-5.9.1-1.el6.noarch.rpm
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: linux.mirrors.es.net
 * extras: linux.mirrors.es.net
 * updates: linux.mirrors.es.net
Setting up Install Process
Examining activemq-5.9.1-1.el6.noarch.rpm: activemq-5.9.1-1.el6.noarch
Marking activemq-5.9.1-1.el6.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package activemq.noarch 0:5.9.1-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=====================================================================================
 Package       Arch         Version         Repository                          Size
=====================================================================================
Installing:
 activemq      noarch       5.9.1-1.el6     /activemq-5.9.1-1.el6.noarch        41 M

Transaction Summary
=====================================================================================
Install       1 Package(s)

Total size: 41 M
Installed size: 41 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : activemq-5.9.1-1.el6.noarch                       1/2
  Cleanup    : activemq-5.8.0-3.el6.noarch                       2/2
  Verifying  : activemq-5.9.1-1.el6.noarch                       1/2
  Verifying  : activemq-5.8.0-3.el6.noarch                       2/2

Installed:
  activemq.noarch 0:5.9.1-1.el6

Complete!
$ sudo service activemq start
Starting ActiveMQ Broker...
$ sudo service mcollective start
Starting mcollective:                                      [  OK  ]

To use this version with the Puppet module you need to inform the module that you want the configuration changes specific to version 5.9. This is accomplished with the following Hiera change:

common.yaml. 

# Middleware configuration
mcollective::middleware::confversion: '5.9'

Then run the puppet agent on your middleware systems like so:

$ mco puppet runonce --with-class mcollective::middleware

 * [ =================================================> ] 1 / 1

Finished processing 1 / 1 hosts in 283.63 ms

If you aren’t using Puppet to manage the middleware configuration, then start by making a backup copy of /etc/activemq/activemq.xml, as your configuration will revert to the stock Puppet Labs config. You’ll need to reapply by hand many of the changes discussed in Detailed Configuration Review.

At the time this book was written I have seen several problems which you should be aware of. I hope these issues are fixed and obsolete by the time this book reaches your hands, so I’ve given you the bug numbers and links to check them out.

  netstat -an |grep 6161 |awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

Tuning ActiveMQ brokers or clusters for scale requires changes at multiple levels. In this chapter we discussed the following changes:

Growing your Network of Brokers will require careful tuning to achieve the best performance. None of the tuning done here is specific to MCollective. Most documentation for tuning ActiveMQ will be relevant to your environment’s performance.