Copyright © 2010 Opscode, Inc - All Rights Reserved Speaker: ‣ [email protected] ‣ @jtimberman ‣ www.opscode.com Joshua Timberman Technical Evangelist 1 Cooking Security
Nov 07, 2014
Copyright © 2010 Opscode, Inc - All Rights Reserved
Speaker:
‣ [email protected]‣ @jtimberman‣ www.opscode.com
Joshua Timberman Technical Evangelist
1
Cooking Security
Copyright © 2010 Opscode, Inc - All Rights Reserved
% whoami
System AdministratorWeb OperationsOpscode Cookbooks Training and Support
2
Copyright © 2010 Opscode, Inc - All Rights Reserved
Developers?Systems Administrators?“Business” People?
http://www.flickr.com/photos/timyates/2854357446/sizes/l/
3
Copyright © 2010 Opscode, Inc - All Rights Reserved
Just what is Configuration Management?
4
Copyright © 2010 Opscode, Inc - All Rights Reserved
A picture is worth...
5
Copyright © 2010 Opscode, Inc - All Rights Reserved
A thousand words!
“... Is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org
6
Copyright © 2010 Opscode, Inc - All Rights Reserved
Infrastructure as Code is...
7
A technical domain revolving around building and managing infrastructure programmatically
http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Enable the reconstruction of the business from nothing
but a source code repository, an application
data backup, and bare metal resources.
8
Copyright © 2010 Opscode, Inc - All Rights Reserved
Understand the goals
9
AutomationStabilityScalabilitySecurity
Copyright © 2010 Opscode, Inc - All Rights Reserved
Security
10http://www.flickr.com/photos/anonymouscollective/2291896028/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Policy Compliance
11http://www.flickr.com/photos/gi/168406150/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Policy Compliance
12
Not a silver bulletBest practices, applied
Copyright © 2010 Opscode, Inc - All Rights Reserved 13
%<%= group %> ALL=(ALL) NOPASSWD: ALL
template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u['uid'] group u['id'] mode "0600" variables :ssh_keys => u['ssh_keys'] end
Copyright © 2010 Opscode, Inc - All Rights Reserved
Enable the business
14
Copyright © 2010 Opscode, Inc - All Rights Reserved
Auditing and Documentation
15http://www.flickr.com/photos/hryckowian/2176673733/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Auditing and Documentation
16
Declarative languageVersion control
Copyright © 2010 Opscode, Inc - All Rights Reserved 17
package "ntp" do action :installend
service "ntp" do action :startend
template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644end
Copyright © 2010 Opscode, Inc - All Rights Reserved 18
% git log ntp/recipes/default.rbcommit a5991547215757ed25e2944f93faa437fad1e5a5Author: jtimberman <[email protected]>Date: Sun Sep 27 23:39:05 2009 -0600
cook-188, update copyright notices, regen metadata too
commit 524ee910f391acadec52362419ce27dbdcdb9969Author: jtimberman <[email protected]>Date: Wed Mar 4 17:08:10 2009 -0700
cook-13, add ntp cookbook
Copyright © 2010 Opscode, Inc - All Rights Reserved 19
Its like built-in change management
Copyright © 2010 Opscode, Inc - All Rights Reserved 20
Logging subsystems
http://www.flickr.com/photos/mikeyworld/3588020070/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Defense in Depth is hard
21http://www.flickr.com/photos/furryscalyman/2081849769/
Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
Managing Infrastructure Is HardHas Always Been
1980
1989
1999
2001
•Reach just a handful of large, enterprise customers
•Require custom implementations with large professional services bills
•Deployed exclusively on-premise
•Acquired by companies with large consulting organizations (IBM, HP, CA)
Big players
22
Copyright © 2010 Opscode, Inc - All Rights Reserved
Defense in Depth...
Configuration layersAccess controlsIncident handling
‣ Rebuilding/redeployment
23
Copyright © 2010 Opscode, Inc - All Rights Reserved
You need system integration
24http://www.flickr.com/photos/opalsson/3773629074/
Copyright © 2010 Opscode, Inc - All Rights Reserved 25http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
At a High Level...
‣ A library for configuration management
‣ A configuration management system
‣ A systems integration platform
‣ An API for your entire Infrastructure
http://www.flickr.com/photos/asten/2159525309/sizes/l/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Open source and community
27
Copyright © 2010 Opscode, Inc - All Rights Reserved 28
Copyright © 2010 Opscode, Inc - All Rights Reserved
Ruby
29http://www.flickr.com/photos/thisisbossi/3526698689/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Platforms
30
Debian
Ubuntu
Gentoo
SuSEMac OS X
Solaris
Red Hat Fedora
CentOS
Windows
ArchLinux
Scientific
OpenBSD
FreeBSD
Copyright © 2010 Opscode, Inc - All Rights Reserved 31
Principles
IdempotentData-drivenSane defaultsTMTOWTDI
Copyright © 2010 Opscode, Inc - All Rights Reserved
Multiple applications of an operation do not change the result
32http://www.flickr.com/photos/redjar/360111326/
Copyright © 2010 Opscode, Inc - All Rights Reserved
We start with APIs, you supply data
33http://www.flickr.com/photos/ninjanoodles/153893226/
Copyright © 2010 Opscode, Inc - All Rights Reserved
option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a JSON file or URL", :proc => nil
option :node_name, :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for this client", :proc => nil
Defaults are sane, but easily changed
34
Copyright © 2010 Opscode, Inc - All Rights Reserved
Tim Toady is a Perl motto
35http://www.flickr.com/photos/lidarose/225156612
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef... How does it work?
36http://www.flickr.com/photos/38299630@N05/3635356091/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef Client runs on your systems
37
Copyright © 2010 Opscode, Inc - All Rights Reserved
Clients talk to a Chef Server
38
Copyright © 2010 Opscode, Inc - All Rights Reserved
Clients authenticate with RSA keys
39http://www.flickr.com/photos/debbcollins/3401944550/
Copyright © 2010 Opscode, Inc - All Rights Reserved 40
We call each system you configure a Node
http://www.flickr.com/photos/peterrosbjerg/3913766224/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Nodes have Attributes
41
{ "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", "uptime_seconds": 1619358 }
Kernel info!
Platform info!
Hostname and IP!
Copyright © 2010 Opscode, Inc - All Rights Reserved
The server stores JSON data about Nodes
42http://www.flickr.com/photos/jurvetson/12688704/
Copyright © 2010 Opscode, Inc - All Rights Reserved
Attributes are Searchable
43
$ knife search node ‘platform:mac_os_x’
search(:node, ‘platform:mac_os_x’)
Copyright © 2010 Opscode, Inc - All Rights Reserved
Nodes have a Run List
44
What Roles or Recipes to applyin Order
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/
Nodes have Roles
45
Copyright © 2010 Opscode, Inc - All Rights Reserved
Roles have a Run List
46
What Roles or Recipes to applyin Order
Copyright © 2010 Opscode, Inc - All Rights Reserved 47
name "webserver"description "Systems that serve HTTP traffic"
run_list( "role[base]", "recipe[apache2]", "recipe[apache2::mod_ssl]")
default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] })
override_attributes( "apache" => { "max_children" => "50" })
Can includeother roles!
Copyright © 2010 Opscode, Inc - All Rights Reserved
Roles are Searchable
48
$ knife search role ‘max_children:50’
search(:role, ‘max_children:50’)
Copyright © 2010 Opscode, Inc - All Rights Reserved 49
Chef manages Resources on Nodes
Copyright © 2010 Opscode, Inc - All Rights Reserved 50
Chef knows many different Resources
cookbook_file
template
service
package deploy
git
http_request
link
ruby_block
logbashexecute
remote_file
user
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
Resources take action through Providers
Resources
http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
Platform
Provider
Copyright © 2010 Opscode, Inc - All Rights Reservedhttp://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ 53
Recipes are lists of Resources
Copyright © 2010 Opscode, Inc - All Rights Reserved
Order Matters
54
Copyright © 2010 Opscode, Inc - All Rights Reserved
How does it help me secure my systems?
55
Copyright © 2010 Opscode, Inc - All Rights Reserved
Automate your infrastructure configuration
56http://www.flickr.com/photos/pickinjim/525129498
Copyright © 2010 Opscode, Inc - All Rights Reserved
The Benefits of Automation
57
EfficiencyEconomicsScalability
Copyright © 2010 Opscode, Inc - All Rights Reserved
Chef automation workflow
Define your policyWrite policy as simple codeDeploy configuration in testingDeploy in production
58
Copyright © 2010 Opscode, Inc - All Rights Reserved
Infrastructure as Code
Source repositoryApplication data backupBare metal resources
59
Copyright © 2010 Opscode, Inc - All Rights Reserved
Leverage a community
Open Source softwareOperations expertsTeam collaboration
60
Copyright © 2010 Opscode, Inc - All Rights Reserved
Not everything can be automated
Security people say “No”.This is as much culture as policy.Automating humans is hard.
61
Copyright © 2010 Opscode, Inc - All Rights Reserved
www.opscode.com/chefIRC and Mailing lists
‣ irc.freenode.net #chef‣ lists.opscode.com
Twitter:‣ @opscode, #opschef‣ @jtimberman
Questions?
Resources/Questions
62