More Related Content Similar to Cooking security sans@night Similar to Cooking security sans@night (20) More from jtimberman (10) Cooking security sans@night5. A picture is worth...
Copyright © 2010 Opscode, Inc - All Rights Reserved 5
6. A thousand words!
“... Is a field of management that focuses on
establishing and maintaining consistency of a system's
or product's performance and its functional and
physical attributes with its requirements, design, and
operational information throughout its life. For
information assurance, [it] can be defined as the
management of security features and assurances
through control of changes made to hardware,
software, firmware, documentation, test, test fixtures,
and test documentation throughout the life cycle of an
information system.” - en.wikipedia.org
Copyright © 2010 Opscode, Inc - All Rights Reserved 6
7. Infrastructure as Code is...
A technical
domain revolving
around building
and managing
infrastructure
programmatically
http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/
Copyright © 2010 Opscode, Inc - All Rights Reserved 7
8. Enable the reconstruction of
the business from nothing
but a source code
repository, an application
data backup, and bare metal
resources.
Copyright © 2010 Opscode, Inc - All Rights Reserved 8
10. Security
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/anonymouscollective/2291896028/ 10
11. Policy Compliance
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/gi/168406150/ 11
12. Policy Compliance
Not a silver bullet
Best practices, applied
Copyright © 2010 Opscode, Inc - All Rights Reserved 12
13. template "#{home_dir}/.ssh/authorized_keys" do
source "authorized_keys.erb"
owner u['uid']
group u['id']
mode "0600"
variables :ssh_keys => u['ssh_keys']
end
%<%= group %> ALL=(ALL) NOPASSWD: ALL
Copyright © 2010 Opscode, Inc - All Rights Reserved 13
15. Auditing and
Documentation
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/hryckowian/2176673733/ 15
17. package "ntp" do
action :install
end
service "ntp" do
action :start
end
template "/etc/ntp.conf" do
source "ntp.conf.erb"
owner "root"
group "root"
mode 0644
end
Copyright © 2010 Opscode, Inc - All Rights Reserved 17
18. % git log ntp/recipes/default.rb
commit a5991547215757ed25e2944f93faa437fad1e5a5
Author: jtimberman <joshua@opscode.com>
Date: Sun Sep 27 23:39:05 2009 -0600
cook-188, update copyright notices, regen metadata too
commit 524ee910f391acadec52362419ce27dbdcdb9969
Author: jtimberman <joshua@opscode.com>
Date: Wed Mar 4 17:08:10 2009 -0700
cook-13, add ntp cookbook
Copyright © 2010 Opscode, Inc - All Rights Reserved 18
19. Its like built-in change
management
Copyright © 2010 Opscode, Inc - All Rights Reserved 19
20. Logging subsystems
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/mikeyworld/3588020070/ 20
21. Defense in Depth is hard
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/furryscalyman/2081849769/ 21
22. Managing Infrastructure Is Hard
Has Always Been
Big players
1980
1989 • Reach just a handful of large,
enterprise customers
1999 • Require custom implementations with
large professional services bills
• Deployed exclusively on-premise
2001
• Acquired by companies with large
consulting organizations (IBM, HP, CA)
Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
24. You need system
integration
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/opalsson/3773629074/ 24
25. Copyright © 2010 Opscode, Inc - All Rights Reserved 25
http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
26. At a High Level...
‣ A library for configuration management
‣ A configuration management system
‣ A systems integration platform
‣ An API for your entire Infrastructure
http://www.flickr.com/photos/asten/2159525309/sizes/l/
27. Open source and
community
Copyright © 2010 Opscode, Inc - All Rights Reserved 27
29. Ruby
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/thisisbossi/3526698689/ 29
30. Debian Mac OS X
SuSE
CentOS
Gentoo
Solaris
ArchLinux
OpenBSD
Platforms
Windows FreeBSD
Ubuntu
Red Hat
Fedora
Scientific
Copyright © 2010 Opscode, Inc - All Rights Reserved 30
32. Multiple applications of
an operation do not
change the result
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/redjar/360111326/ 32
33. We start with APIs, you
supply data
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/ninjanoodles/153893226/ 33
34. option :json_attribs,
:short => "-j JSON_ATTRIBS",
:long => "--json-attributes JSON_ATTRIBS",
:description => "Load attributes from a
Defaults are sane, but
JSON file or URL",
:proc => nil
option :node_name, changed
easily
:short => "-N NODE_NAME",
:long => "--node-name NODE_NAME",
:description => "The node name for this
client",
:proc => nil
Copyright © 2010 Opscode, Inc - All Rights Reserved 34
35. Tim Toady is a Perl
motto
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/lidarose/225156612 35
36. Chef... How
does it work?
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/38299630@N05/3635356091/ 36
37. Chef Client runs on your
systems
Copyright © 2010 Opscode, Inc - All Rights Reserved 37
38. Clients talk to a Chef
Server
Copyright © 2010 Opscode, Inc - All Rights Reserved 38
39. Clients authenticate
with RSA keys
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/debbcollins/3401944550/ 39
40. We call each system you
configure a Node
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/peterrosbjerg/3913766224/ 40
41. Nodes have Attributes
Kernel info!
{
"kernel": {
"machine": "x86_64",
"name": "Darwin",
"os": "Darwin",
"version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010;
root:xnu-1504.7.4~1/RELEASE_I386",
"release": "10.4.0"
},
"platform_version": "10.6.4",
"platform": "mac_os_x",
"platform_build": "10F569",
"domain": "local",
Platform info!
"os": "darwin",
"current_user": "jtimberman",
"ohai_time": 1278602661.60043,
"os_version": "10.4.0",
"uptime": "18 days 17 hours 49 minutes 18 seconds",
"ipaddress": "10.13.37.116",
"hostname": "cider",
"fqdn": "cider.local",
Hostname and IP!
"uptime_seconds": 1619358
}
Copyright © 2010 Opscode, Inc - All Rights Reserved 41
42. The server stores JSON
data about Nodes
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/jurvetson/12688704/ 42
43. Attributes are
Searchable
$ knife search node ‘platform:mac_os_x’
search(:node, ‘platform:mac_os_x’)
Copyright © 2010 Opscode, Inc - All Rights Reserved 43
44. Nodes have a Run List
What Roles or Recipes to apply
in Order
Copyright © 2010 Opscode, Inc - All Rights Reserved 44
45. Nodes have Roles
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/ 45
46. Roles have a Run List
What Roles or Recipes to apply
in Order
Copyright © 2010 Opscode, Inc - All Rights Reserved 46
47. name "webserver"
description "Systems that serve HTTP traffic"
run_list(
"role[base]",
Can include
"recipe[apache2]", other roles!
"recipe[apache2::mod_ssl]"
)
default_attributes(
"apache" => {
"listen_ports" => [ "80", "443" ]
}
)
override_attributes(
"apache" => {
"max_children" => "50"
}
)
Copyright © 2010 Opscode, Inc - All Rights Reserved 47
48. Roles are Searchable
$ knife search role ‘max_children:50’
search(:role, ‘max_children:50’)
Copyright © 2010 Opscode, Inc - All Rights Reserved 48
50. remote_file
link
cookbook_file
service
ruby_block
template
Chef knows many
different Resources
execute user
bash git log
package deploy
http_request
Copyright © 2010 Opscode, Inc - All Rights Reserved 50
51. Resources take action
through Providers
Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
53. Recipes are lists of
Resources
http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/
Copyright © 2010 Opscode, Inc - All Rights Reserved 53
54. Order Matters
Copyright © 2010 Opscode, Inc - All Rights Reserved 54
55. How does it help me
secure my systems?
Copyright © 2010 Opscode, Inc - All Rights Reserved 55
57. The Benefits of Automation
Efficiency
Economics
Scalability
Copyright © 2010 Opscode, Inc - All Rights Reserved 57
58. Chef automation workflow
Define your policy
Write policy as simple code
Deploy configuration in testing
Deploy in production
Copyright © 2010 Opscode, Inc - All Rights Reserved 58
60. Leverage a community
Open Source software
Operations experts
Team collaboration
Copyright © 2010 Opscode, Inc - All Rights Reserved 60
61. Not everything can be automated
Security people say “No”.
This is as much culture as policy.
Automating humans is hard.
Copyright © 2010 Opscode, Inc - All Rights Reserved 61