Managing Configuration Drift and Auditing with Salt. Duncan Mac-Vicar P. Director, Data Center Management R&D, SUSE

Similar documents
SUSE s vision for agile software development and deployment in the Software Defined Datacenter

Expert Days SUSE Manager

Using the vrealize Orchestrator Salt Plug- in

SUSE Manager and Salt

Who is Docker and how he can help us? Heino Talvik

Discover SUSE Manager

Welcome to SUSE Expert Days 2017 Service Delivery with DevOps

DevOps Online Training

/ Cloud Computing. Recitation 5 September 27 th, 2016

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

"Charting the Course... MOC B: Linux System Administration. Course Summary

/ Cloud Computing. Recitation 5 February 14th, 2017

Developing and Testing Java Microservices on Docker. Todd Fasullo Dir. Engineering

CONTAINER AND MICROSERVICE SECURITY ADRIAN MOUAT

Docker and Security. September 28, 2017 VASCAN Michael Irwin

Exam LFCS/Course 55187B Linux System Administration

containerization: more than the new virtualization

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Automating Security Practices for the DevOps Revolution

SaltStack and SUSE Systems and Configuration Management that Scales and is Easy to Extend

bootmachine Documentation

Development. Architecture QA. Operations

Oracle Linux 7: System Administration Ed 2 Duration: 5 Days

Java Architectures A New Hope. Eberhard Wolff

Salt A Scalable Systems Management Solution for Datacenters

June 8th, 2017 Washington D.C. Security Compliance for modern infrastructures with OpenSCAP

Chapter 5: User Management. Chapter 5 User Management

Linux Essentials Objectives Topics:

USING GIT FOR AUTOMATION AND COLLABORATION JUSTIN ELLIOTT - MATT HANSEN PENN STATE UNIVERSITY

The Wonderful World of Services VINCE

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

DevOps Course Content

Installing and Using Docker Toolbox for Mac OSX and Windows

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)

2018 Report The State of Securing Cloud Workloads

Table of Contents DevOps Administrators

Quick Prototyping+CI with LXC and Puppet

Automated Cyber Hardening of Mission Management Systems

Ansible Tower Quick Setup Guide

/ Cloud Computing. Recitation 5 September 26 th, 2017

Best Practices for Developing & Deploying Java Applications with Docker

VNS3:turret WAF Guide Sept 2015

Containerization Dockers / Mesospere. Arno Keller HPE

Cloud Essentials for Architects using OpenStack

CloudCenter for Developers

Saltstack Config Management

System Hardening From concepts into details

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

Oracle Linux 7: System Administration Ed 1

Docker & Chef. Containers. Containers and Docker 8/4/14. Linux containers (LXC) Single operating system Multiple isolated, working configurations

Deployment Patterns using Docker and Chef

ForeScout Extended Module for IBM BigFix

Advanced Continuous Delivery Strategies for Containerized Applications Using DC/OS

Cloud Connections SEE Partner Summit Janos Strausz Product Sales Specialist, DC

Multi-Cloud and Application Centric Modeling, Deployment and Management with Cisco CloudCenter (CliQr)

Oracle Linux 7: System Administration Ed 1

Discover CephFS TECHNICAL REPORT SPONSORED BY. image vlastas, 123RF.com

Part 1 : Getting Familiar with Linux. Hours. Part II : Administering Red Hat Enterprise Linux

Puppet and RBS Presents: Driving Digital Transformation in the Real World with VMware vrealize

Security Practices in OpenShift

Oracle Linux 7: System Administration Ed 1 LVC

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Managing Linux Servers Comparing SUSE Manager and ZENworks Configuration Management

Implementation of Continuous Integration for Linux Images

Step 1: Setup a Gitlab account

Define Your Future with SUSE

Configuration Management: Stability in Your Pipeline sascha bates. Saturday, November 2, 13

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

Migration. 22 AUG 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

A Hands on Introduction to Docker

From Bare Metal to Cloud. Andy ICCLab, ZHAW Piotr Kasprzak, GWDG

Travis Cardwell Technical Meeting

Control Center Release Notes

Course 55187B Linux System Administration

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

Manage MySQL like a devops sysadmin. Frédéric Descamps

Open Enterprise & Open Community opensuse & SLE Empowering Each Other. Richard Brown opensuse Chairman

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

DevOps Technologies. for Deployment

ForeScout Extended Module for IBM BigFix

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

General: How do I upgrade Bright from SLES11sp2 to SLES11sp3? How do I upgrade Bright from SLES11sp2 to SLES11sp3?

Control Center Planning Guide

Technical Comparison Sheet: ez Platform Cloud vs Other Hosting Approaches

DevOps in the Cloud A pipeline to heaven?! Robert Cowham BCS CMSG Vice Chair

Nexpose. Hardening Guide. Product version: 6.0

AZURE CONTAINER INSTANCES

QUALYS SECURITY CONFERENCE Qualys CertView. Managing Digital Certificates. Jimmy Graham Senior Director, Product Management, Qualys, Inc.

ovirt and Docker Integration

Code: Slides:

Configuration Management - Using Puppet. lctseng / Liang-Chi Tseng

Unit 2: Manage Files Graphically with Nautilus Objective: Manage files graphically and access remote systems with Nautilus

Deploy Stuff, Run Stuff Jax Devops London Kris

Think Small to Scale Big

FIXING THE FLYING PLANE

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 7,6 cm)

Automate All The Things. Software Defined Infrastructure with AWS CloudFormation, Docker and Jenkins

Transcription:

Managing Configuration Drift and Auditing with Salt Duncan Mac-Vicar P. Director, Data Center Management R&D, SUSE dmacvicar@suse.com

How to manage infrastructure? 2

Sysadmin Alexis #!/bin/bash cat <<EOF server1 server2 EOF while read line ssh -q user1@${line} zypper up done Manages his servers with bash scripts. They reside in`~/bin` Strict ownership and approval process.

New colleague: Devops Adrian /etc/motd: file.managed: - source: salt://common/motd Writes "Configuration Management" recipes and templates They reside in `git`. apache: pkg.installed

The two brains of IT Mode 1 Reliability Waterfall, ITIL Mode 2 Agility Agile, DevOps Conventional Projects New & Uncertain Projects Long-cycle Times (months) Short Cycle (days, weeks) 5

Devops Adrian explains If somebody changes the configuration, I just re-apply it and the tool brings it to the correct state.

Sysadmin Alexis reads: Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. 7

Infrastructure as code Has become a pragmatic way to implement configuration management for IT infrastructure. We know how to manage change of source code. We have the tools and processes for it.

Salt 101 Ports: 4505-4506 Master ØMQ Minion Minion Minion

Salt 101 $ salt * pkg.install foo master $ salt host1 docker.pause c001 $ salt web* cmd.run \ cat /etc/fstab configuration commands results $ salt * state.apply minions

What is a state? /etc/motd: master file.managed: configuration commands results minions - source: salt://common/motd apache: pkg.installed

States state is how Salt calls configuration, in its declarative form.

Non-Compliant system $ salt minion1 state.apply test=true minion1: ---------ID: Function: Result: Comment: Started: Duration: Changes: /etc/motd file.managed None The file /etc/motd is set to be changed 10:06:05.021643 30.339 ms ---------diff: --+++ @@ -1 +1 @@ -Have a lot of fun... +This is my managed motd Summary for minion1 -----------Succeeded: 1 (unchanged=1, changed=1) Failed: 0 -----------Total states run: 1

New trainee $ useradd -r mudserver

Let s run it again $ salt minion1 state.apply test=true minion1: ---------ID: Function: Result: Comment: Started: Duration: Changes: /etc/motd file.managed None The file /etc/motd is set to be changed 10:06:05.021643 30.339 ms ---------diff: --+++ @@ -1 +1 @@ -Have a lot of fun... +This is my managed motd Summary for minion1 -----------Succeeded: 1 (unchanged=1, changed=1) Failed: 0 -----------Total states run: 1

The change was not detected It was not part of the configuration. # We can express... joe: user.present # How to express? any other: user.absent

Disappointed Sysadmin Devops tools focus in creating new systems. Not all change accounted. Is it really Configuration Management. What they call "Configuration Management" is really "Automation". The novelty is more about the declarative approach (vs imperative).

Are Classic IT priorities the same? Detecting Configuration Drift. Auditing Compliance. Documenting infrastructure. Drift Audit Document

Incomplete Configuration States Templates Baseline

Where is the baseline? In configuration management, a "baseline" is an agreed description of the attributes of a product, at a point in time, which serves as a basis for defining change. ~~MIL-HDBK-61

How to define a baseline? How to integrate it with the rest of the configuration?

Snapper (http://snapper.io) snapper is to snapshots what zypper/apt-get/dnf are to packages. First demoed in SUSECon 2011! Main feature of SUSE Linux Enterprise 12

Created by SUSE, available everywhere https://wiki.archlinux.org/index.php/snapper https://apps.fedoraproject.org/packages/snapper https://packages.debian.org/search?keywords=snapper (don't forget to mention btrfs)

Snapper 101 snapper list-configs snapper list snapper create snapper mount <number> snapper status <number1>..<number2> snapper diff <number1>..<number2> [files] snapper undochange <number1>..<number2> [files] YaST and zypper take snapshots automatically In grub menu you can boot old snapshots

YaST2 snapper

Salt and Snapper integration I salt '*' snapper.list_snapshots master salt '*' snapper.get_snapshot salt '*' snapper.create_snapshot salt '*' snapper.undo configuration commands results minions salt '*' snapper.diff

Salt andsnapper Integration $ salt minion2 snapper.run function=file.append args='["/etc/motd", "some text"]' minion2: Wrote 1 lines to "/etc/motd"... pre 21 Thu.. root number post 22 21 Thu... root number salt job 6668 salt_jid=6668 salt job 6668 salt_jid=6668

Salt and Snapper integration $ salt minion2 snapper.diff_jid 6668 minion2: ---------/etc/motd: --- /.snapshots/21/snapshot/etc/motd +++ /.snapshots/22/snapshot/etc/motd @@ -1 +1,2 @@ Have a lot of fun... +some text snapper.undo_jid also works

State module Back to the baseline problem, imagine you could say: # Starting from snapshot #3 baseline: -???? # then... /etc/motd: file.managed: - source: salt://common/motd apache: pkg.installed States Templates Baseline

State module You can! my_baseline: snapper.baseline_snapshot: - number: 20 States Templates - ignore: - /var/log - /var/cache /etc/motd: file.managed: - source: salt://common/motd Baseline

If the somebody adds a new user, a drift against the baseline rule will happen: $ salt minion1 state.apply test=true minion1: ---------ID: my_baseline Function: snapper.baseline_snapshot Result: None Comment: 1 files changes are set to be undone... Changes:... /etc/passwd:... diff: --- /etc/passwd +++ /.snapshots/21/snapshot/etc/passwd @@ -22,5 +22,3 @@ duncan:x:1000:100:duncan Mac-Vicar P.:/home/duncan:/bin/zsh -mudserver:x:167:100::/home/mudserver:/bin/bash ---------ID: /etc/motd... Succeeded: 2 (unchanged=2, changed=2)

Applying states If you apply the state (eg. no `test=true`), the system will be set to the state of the baseline snapshot before applying the rest of the states. $ salt minion1 state.apply Current Baseline state... states

Managing snapshots by number? Creates a snapshot and adds a baseline tag to the userdata property of each snapshot. $ salt '*' snapper.create_baseline Type # single 0 Pre Date Desc userdata current... post 20 19 Sept 26... important=no Sept 26... baseline_tag=baseline... single 22

Baseline tags Audit Co n D ent m cu e n i l se ure fig Ba last_production: snapper.baseline_snapshot: - tag: baseline t rif Do You can move the baseline, without affecting your state. The last tagged snapshot will be used.

Salt Snapper module Already submitted upstream. Will be part of Carbon release. Also available in SUSE Linux Enterprise/SUSE Manager 2015.8.x Salt package Carbon also supports automatic snapshots when applying states https://docs.saltstack.com/en/develop/topics/releases/carbon.html

(about state snapshots) $ salt minion2 snapper.run function=state.apply

Other Resources to Manage Drift

Salt Survey Runner Module Survey groups the returned values in pools of unique results. salt-run survey.diff survey_sort=up "*" cmd.run 'cat /etc/hosts' This tells you which server differs from the others. v2 v1 /etc/hosts /etc/hosts

Salt Package Module salt 'web*' pkg.diff /etc/sudoers Tells the difference between the `/etc/sudoers` of the original package vs the installed one.

Hubble (http://hubblestack.io) Tool Purpose Nova Auditing Framework Pulsar File integrity monitor, security events Nebula Query infrastructure security snapshots Quasar Reporting

Available Nova modules grep (configuration values) iptables (firewall rules) netstat (listening ports) openscap (CVE scan) openssl (cert validation & expiration) pkg (installed packages) service (running services) stat (ownerships & permissions) sysctl (kernel parameters) vulners.com (CVE scan)

Future work

The two brains of IT Mode 1 Reliability Waterfall, ITIL Mode 2 Agility Agile, DevOps Conventional Projects New & Uncertain Projects Long-cycle Times (months) Short Cycle (days, weeks) 44

Bimodal Datacenter Softwar e Defined *: Comput e Storage Network Mode 1 Deployment Networking High Availability Mode 2 Magnum Containers Scaling Monitoring 45

Docker images 46

Motivation You bought into the hype and automated everything with Salt. You have Salt states and templates for all your infrastructure. salt://happy Now you wand to deploy an app into a container and you need a container image... 47

Dockerfiles FROM ubuntu:12.04 RUN zypper -n in foo RUN echo "key=val" > /etc/foo/config 48

Building images foo: pkg.installed salt mybuilder0 dockerng.state myapp mods=myapp /etc/foo/config: file.managed: - source: salt://myapp/foo.config 49

Benefits Reuse states and templates across workloads. Access templates, pillar data (eg. secrets) directly from Salt. Access to Salt modules for configuration. Implemented as ability to run arbitrary Salt modules inside running containers. Auditing 50

Thanks for listening 51

53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback