OSDC 2015: Benoit Peccatta | Sharing IT automation benefits in a team with Rudder

Normation – Tous droits réservésnormation.com 1

Rudder

Sharing IT automation benefits in a team with Rudder

Benoît Peccatte – [email protected]

mailto:[email protected]


Who am I ?

● Benoît Peccatte

● Origins: Sysadmin and a developper

● Now: Automation, Rudder, ncf

ncf


● What is Rudder anyway?

● Why is it interesting?

● How do people use it (demo)?


Context

What is Rudder ?


Context

Automated configuration

ScalableManage 1 to > 100000 servers the same way

Save timeDeploy faster & be more responsive to changes

Improve reliabilityAvoid manual errors, harmonize configurations


Key points

Specifically designed forautomation & compliance

Pre-packaged for:Linux, UNIX, Windows, Android

Open Source

Simplified user experiencevia a Web UI

Graphical reportingBased on CFEngine 3(don't reinvent the wheel!)

Vagrant config to test:https://github.com/normation/rudder-vagrant/


Design choices: CFEngine

CFEngineMulti-platformLinux, Android, BSD, AIX, HP-UX, Solaris, Windows...

Open SourceGPLv3

Small footprint, scalableA few MB of RAM,just seconds to run...

Continuous checkingAgent based approach,no push

Resilient to errorsNetwork outages, failures,unavailable resources...


Design choices

Continuous checkingEvery 5 minutes

Multi-platformLinux, Unix, Windows, Android...

Separate configuration from implementation

ReportingDone after the checks, separate process

High freqency, trust in compliance reporting

Reuse implementations, less bugs, shared code...Clear separation of roles

Cover as many systems as possible

Avoid bottleneckDifferent report types


Starting CM

How to start a configuraiton management

project ?


Starting CM

Choose a tool.

You're ready!


Not so fast

Getting everyoneon board for CM is hard

Frustration“I can do it quicker by hand or with a shell script”

Steep learning curveNew concepts, non obvious syntaxes, paradigm, ...

Lack of motivation“What do I have to gain from using this tool?”


Not so fast

So how comeso many projects

do work out?


Not so fast

Thanks to a hero!

So how comeso many projects

do work out?

Photo CC BY-NC-ND 2.0 from https://www.flickr.com/photos/mwboeckmann/


A hero?

Poor configuration management hero...


A hero?


Hey, I'm trying to do this thing in config management,but I can't make it work, can you help me?


A hero?


Hi, this is the supervision team.I'm sorry to disturb you at night, but we've got this error

in production, and I think it's related to a change in the CM tool,but I don't understand it. Can you help me?


What can we do?


What can we do?

How can we help?

This is clearly a problem.


Steep learning curveNew concepts, non obvious syntaxes, paradigm, ...

Approach

1) Separate content and controls

2) Provide access to key parameters without having to edit {CFEngine,Puppet,Chef} code


Lack of motivation“What do I have to gain from using this tool?”

Approach

1) Show the benefits to all users

2) Provide nice reports showing what works, how many machines are impacted


Frustration“I can do it quicker by hand or with a shell script”

Approach

1) Make it easy and quick to achieve success

2) Provide ready-to-use configuration techniques and share in-house ones simply


Why Rudder?

Make configuration management easyand increase its adoption

Extend benefitsof

configuration managementto

a wider population

ManagersJunior

sysadminsNon

experts

Lower entry barrierto

learn and use

configuration management

Easy to use Highly powerful


Right! Show me already!


Workflow

Typical usage


Components

Techniques

Implemented inncf syntax

+ metadata for

web configuration

Nodes

Search criteria oninventory data

Hardware/OS/Network/Software/Node name/

...

Directives

Rules

Apply Directives to a Group

Groups

Sysadmins

c c

Manager or sysadmins

Expert

Community


Workflow

Working in a team with Rudder


Workflow: the theory

Management

Definepolicy

Changes(fixes, upgrades...)

c c

Community Expert

Sysadmins

Configureparameters

Initial applicationContinuous verification

REP

OR

TIN

G

Technical abstraction(method vs parameters)


Workflow: the practice

Hi, this is sysadmin Alice.Do we still have debian 6 hosts?

I would like to remove it from the mirror.

Rudder:Let me check



Techniques


+ metadata for

web configuration

Nodes



...

Directives

Rules


Groups

Sysadmins

c c


Expert

Community



Hi, this is CISO.We shouldn't allow root to login over SSH.

Where are we on this?

Rudder:Let me check

…We never started!

Then we should start it now



Techniques


+ metadata for

web configuration

Nodes



...

Directives

Rules


Groups

Sysadmins

c c


Expert

Community



Simplified configuration



Hi, this is project manager Bob.We we need more server to sustain the outstanding number of clients!

Rudder:OK, let's add some!



Techniques


+ metadata for

web configuration

Nodes



...

Directives

Rules


Groups

Sysadmins

c c


Expert

Community



Hi, this is the CIO.I need the visibility on our certificate migration project.

What is the current progress?

Rudder:Let me show you that.



Built-in reporting



Built-in reporting



Hi, this is the DBA.We have an excessive load on our database,

I think some PostgreSQL setting have changed.Can you check?

Rudder:Let me find why, who and when.



Complete tracability



Hi, this is the CIO.We have a new policy, each modification should be reviewed

and confirmed by a senior sysadminbefore being put into production.

Rudder:OK … if this is is mandatory



Validation workflow



Validation workflow● States:

● Pending validation

– Can be sent to: Pending deployment, Deployed, Cancelled.

● Pending deployment

– The change was validated, but now require to be deployed. Can be sent to: Deployed, Cancelled.

● Deployed

– The change is deployed. This is a final state, it can’t be moved anymore.

● Cancelled

– The change was not approved. This is a final state, it can’t be moved anymore.



Hi, this is developer Charlie.We have changed our application, it now needs a new configuration file.

Can you put it on all servers?It needs to be modified on each server to contain the server name.

Rudder:OK, let's do this.



Techniques


+ metadata for

web configuration

Nodes



...

Directives

Rules


Groups

Sysadmins

c c


Expert

Community

Write any configuration you like in a Techniqueand share them with co-workers



Hi, this is sysadmin Eve.I would like to know which rules are not anymore used.

Rudder:I don't know, let's use the API to check.


Summary

● What is Rudder anyway?

● Why is it interesting?

● How do people use it?


Questions?

Check it out on:http://www.rudder.cm/

Benoît Peccatte – [email protected]

OSDC 2015: Benoit Peccatta | Sharing IT automation benefits in a team with Rudder

Technology

ncfncf normation tous

config management

separate configuration

starting cmhow

starting cmchoose

automation benefits

rudderbenot peccatte

supervision team