SlideShare une entreprise Scribd logo

Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014

Puppet
Puppet

The document discusses managing trusted instances in the cloud. It outlines the problem of verifying instances provisioned in the cloud are legitimate. It then provides an overview of a solution where instances generate certificate signing requests with metadata upon launch, and a puppetmaster signs the requests after verifying the instance information with the cloud provider API. Signed certificates are returned to the instances containing the metadata, allowing the instances to be identified and classified in puppet configurations.

Technologie
1  sur  27
Télécharger pour lire hors ligne
2014 Presented by Cloudy with a chance of Fireballs Managing Trusted Instances in the Cloud ! ! ! ! eric sorenson eric.sorenson@puppetlabs.com
Presented by What’s the problem? Why you might care End to End Overview Walkthrough w/ AWS Related work
Presented by What's the problem?
Presented by What’s the REAL problem?
Presented by
Presented by Why you might care
Presented by
Presented by
Presented by
Presented by
Presented by +-------------------------------+ +-----------+ | | | | | Amazon EC2 API <--------+provisioner| +---------------------^---------+ +-----------+ | | +-------+ +------+---------+ | | | | | node1 +------> puppetmaster | +-------+ +----------------+ ! ! Follow along at home: https://github.com/ahpook/mrzarquon-certsigner/tree/eric0-wip
Presented by ! +----------------------------+ Prerequisites: |                            |      - Puppetmaster w/IAM credentials |  Amazon EC2 API            | <--+  and autosign policy configured |                            |       | | - AMI with user-data install or +----------------------------+ preloaded agent+ec2-utils, IAM policy permitting query tags !
Presented by { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1411031868000", "Effect": "Allow", "Action": [ "ec2:DescribeTags" ], "Resource": [ "*" ] } ] }
Presented by +----------------------------+ | | | Amazon EC2 API | | | +------^---------------------+ | +------+------+ | | Your provisioning node requests | Provisioner | <-------+ some new instances using that image, | | tagging them w/ role: 'webserver' +-------------+
Presented by [vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107 --region=us-west-2 --instance-tags=role=webserver --type=t1.micro --keyname=certsigner --security-group=webservers Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634), ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8 Info: Connecting to AWS us-west-2 ... Done Info: Instance Type: t1.micro Notice: Creating new instance ... Done Info: Instance identifier: i-abc8f0a6 Notice: Creating tags for instance ... Info: Creating tag for Created-By ... Done Info: Creating tag for role ... Done Notice: Creating tags for instance ... Done Notice: Launching server i-abc8f0a6 ... ##### Notice: Server i-abc8f0a6 is now launched Notice: Server i-abc8f0a6 public dns name: ec2-54-68-132-30.us-west-2.compute.amazonaws.com
Presented by +---------------------------------+ | | | Amazon EC2 + using your image | | | EC2 builds your instances, +----+-----------+-----------+----+ running the user-data script | | | which drops instance-specific | | | metadata into csr_attributes.yaml +---v---+ +---v---+ +---v---+ + | | | | | | | | node1 | | node2 | | node3 | <----------------+ +-------+ +-------+ +-------+
Presented by
Presented by
Presented by +-------------------------------+ | | Each node generates a CSR which | Amazon EC2 API | embeds the metadata as requested +---------------------^---------+ attributes and submits it to the | puppetmaster, which checks the | instance-ID against EC2 to verify +-------+ +------+---------+ it came from a valid instance. | | | | | node1 +------> puppetmaster | +-------+ +----------------+
Presented by +-------------------------------+ | | If the API is OK, the puppetmaster | Amazon EC2 API | signs the CSR, moving the tags, +---------------------+---------+ instance-id and any other metadata in | whitelisted extension requests | inside the signed certificate. The +-------+ +------v---------+ signed cert is retrieved by the node | | | | and normal Puppet runs can begin. | node1 <------+ puppetmaster | +-------+ +----------------+
Presented by openssl x509 -noout -text -in /var/lib/puppet/ssl/ca/signed/i-f3cef5fe.pem [ ... tons of crap trimmed ... ] X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate 1.3.6.1.4.1.34380.1.1.5: webserver 1.3.6.1.4.1.34380.1.1.3: ami-37713107 1.3.6.1.4.1.34380.1.1.2: i-f3cef5fe
Presented by ! +-------+ +----------------+ When the node checks in, the extensions | | | | will be available under the '$trusted' | node1 +----> puppetmaster | top-scope hash for classification, +-------+ +----------------+ manifests, etc. ! # puppet.conf [master] trusted_node_data = true immutable_node_data = true !
Presented by ## site.pp node default { notify { "trusted_data": message => inline_template("<%= scope.lookupvar('trusted').inspect %>") } } ! ## agent output Notice: /Stage[main]/Main/Node[default]/Notify[trusted_data]/message: defined 'message' as ' {"certname"=>"i-f3cef5fe", "authenticated"=>"remote", "extensions"=>{"pp_instance_id"=>"i-f3cef5fe", "pp_image_name"=>"ami-37713107", "1.3.6.1.4.1.34380.1.1.5"=>"webserver"}}'
Presented by Related and future work ! Signing policy for AWS: mrzarquon-certsigner Signing policy for GCE: puppetlabs-gce_compute Signing policy for in-house CMDBs? Puppet Enterprise Node Manager
Presented by
Presented by
Presented by Photo/Link Credits CERN - http://www.slideshare.net/gmccance/cern-data-centre-evolution Google maps screenshot of Apple Data Center - fair use, with attribution inline Imagery (c) 2014 Google NSA HQ, fort meade - "National Security Agency headquarters, Fort Meade, Maryland" by Unknown - http:// www.nsa.gov/about/photo_gallery/gallery.shtml. Licensed under Public domain via Wikimedia Commons - http:// commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg#mediaviewer/ File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg Bitcoin mining rigs from buttcoin.org http://buttcoin.org/mining-rigs-3 “Cloud City at Sunset” http://balsavor.deviantart.com/art/The-Falcon-escapes-Cloud-city-143511722 han and Lando Mario Fireball - from http://www.giantbomb.com/fireball/3055-120/ © Yorkberlin | Dreamstime.com - Sorceress With Fireball Photo

Recommandé

Puppet Camp DC 2014: Keynote
Puppet Camp DC 2014: KeynotePuppet Camp DC 2014: Keynote
Puppet Camp DC 2014: Keynote
Puppet
 
Managing Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with AnsibleManaging Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with Ansible
fmaccioni
 
Cloudinit
CloudinitCloudinit
Cloudinit
sriram_rajan
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
Red Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack ArchitectureRed Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack Architecture
Dan Radez
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015
CloudOps2005
 
Puppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet Camp Charlotte 2015: Exporting Resources: There and Back AgainPuppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet
 
Deployment with Fabric
Deployment with FabricDeployment with Fabric
Deployment with Fabric
andymccurdy
 

Recommandé

Puppet Camp DC 2014: Keynote
Puppet Camp DC 2014: KeynotePuppet Camp DC 2014: Keynote
Puppet Camp DC 2014: Keynote
Puppet
 
Managing Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with AnsibleManaging Your Cisco Datacenter Network with Ansible
Managing Your Cisco Datacenter Network with Ansible
fmaccioni
 
Cloudinit
CloudinitCloudinit
Cloudinit
sriram_rajan
 
Network Automation with Ansible
Network Automation with AnsibleNetwork Automation with Ansible
Network Automation with Ansible
Anas
 
Red Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack ArchitectureRed Hat Forum Tokyo - OpenStack Architecture
Red Hat Forum Tokyo - OpenStack Architecture
Dan Radez
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015
CloudOps2005
 
Puppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet Camp Charlotte 2015: Exporting Resources: There and Back AgainPuppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet Camp Charlotte 2015: Exporting Resources: There and Back Again
Puppet
 
Deployment with Fabric
Deployment with FabricDeployment with Fabric
Deployment with Fabric
andymccurdy
 
Ansible
AnsibleAnsible
Ansible
Raul Leite
 
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
AWSKRUG - AWS한국사용자모임
 
Configuration management and deployment with ansible
Configuration management and deployment with ansibleConfiguration management and deployment with ansible
Configuration management and deployment with ansible
Ivan Dimitrov
 
Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]
Joshua Harlow
 
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony LinAnsible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Vietnam Open Infrastructure User Group
 
Ansible best practices
Ansible best practicesAnsible best practices
Ansible best practices
StephaneFlotat1
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
Wesley Charles Blake
 
Create Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantCreate Development and Production Environments with Vagrant
Create Development and Production Environments with Vagrant
Brian Hogan
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
Rayed Alrashed
 
Creating and Deploying Static Sites with Hugo
Creating and Deploying Static Sites with HugoCreating and Deploying Static Sites with Hugo
Creating and Deploying Static Sites with Hugo
Brian Hogan
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
panagenda
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
Yashar Esmaildokht
 
Tips for a Faster Website
Tips for a Faster WebsiteTips for a Faster Website
Tips for a Faster Website
Rayed Alrashed
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
Dharmit Shah
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
Wesley Beary
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
John Lynch
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit Introduction
Publicis Sapient Engineering
 
Ansible Introduction - Ansible Brno #1 - David Karban
Ansible Introduction - Ansible Brno #1 - David KarbanAnsible Introduction - Ansible Brno #1 - David Karban
Ansible Introduction - Ansible Brno #1 - David Karban
ansiblebrno
 
Puppet Camp New York Keynote
Puppet Camp New York KeynotePuppet Camp New York Keynote
Puppet Camp New York Keynote
Puppet
 
Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2
IMC Institute
 
Puppet Camp DC: Puppet for Everybody
Puppet Camp DC: Puppet for EverybodyPuppet Camp DC: Puppet for Everybody
Puppet Camp DC: Puppet for Everybody
Puppet
 
What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5
Puppet
 

Contenu connexe

Tendances

Configuration management and deployment with ansible
Configuration management and deployment with ansibleConfiguration management and deployment with ansible
Configuration management and deployment with ansible
Ivan Dimitrov
 
Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]
Joshua Harlow
 
Create Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantCreate Development and Production Environments with Vagrant
Create Development and Production Environments with Vagrant
Brian Hogan
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
panagenda
 
Tips for a Faster Website
Tips for a Faster WebsiteTips for a Faster Website
Tips for a Faster Website
Rayed Alrashed
 
Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2
IMC Institute
 

Tendances (20)

Ansible
AnsibleAnsible
Ansible
 
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
EKS에서 Opentelemetry로 코드실행 모니터링하기 - 신재현 (인덴트코퍼레이션) :: AWS Community Day Online...
 
Configuration management and deployment with ansible
Configuration management and deployment with ansibleConfiguration management and deployment with ansible
Configuration management and deployment with ansible
 
Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]Cloud init and cloud provisioning [openstack summit vancouver]
Cloud init and cloud provisioning [openstack summit vancouver]
 
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony LinAnsible Automation - Enterprise Use Cases | Juncheng Anthony Lin
Ansible Automation - Enterprise Use Cases | Juncheng Anthony Lin
 
Ansible best practices
Ansible best practicesAnsible best practices
Ansible best practices
 
Automation with Packer and TerraForm
Automation with Packer and TerraFormAutomation with Packer and TerraForm
Automation with Packer and TerraForm
 
Create Development and Production Environments with Vagrant
Create Development and Production Environments with VagrantCreate Development and Production Environments with Vagrant
Create Development and Production Environments with Vagrant
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Creating and Deploying Static Sites with Hugo
Creating and Deploying Static Sites with HugoCreating and Deploying Static Sites with Hugo
Creating and Deploying Static Sites with Hugo
 
Webinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and moreWebinar: Automate IBM Connections Installations and more
Webinar: Automate IBM Connections Installations and more
 
ansible why ?
ansible why ?ansible why ?
ansible why ?
 
Tips for a Faster Website
Tips for a Faster WebsiteTips for a Faster Website
Tips for a Faster Website
 
Introduction to ansible
Introduction to ansibleIntroduction to ansible
Introduction to ansible
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
Ansible presentation
Ansible presentationAnsible presentation
Ansible presentation
 
CloudInit Introduction
CloudInit IntroductionCloudInit Introduction
CloudInit Introduction
 
Ansible Introduction - Ansible Brno #1 - David Karban
Ansible Introduction - Ansible Brno #1 - David KarbanAnsible Introduction - Ansible Brno #1 - David Karban
Ansible Introduction - Ansible Brno #1 - David Karban
 
Puppet Camp New York Keynote
Puppet Camp New York KeynotePuppet Camp New York Keynote
Puppet Camp New York Keynote
 
Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2Set up Hadoop Cluster on Amazon EC2
Set up Hadoop Cluster on Amazon EC2
 

En vedette

En vedette (7)

Puppet Camp DC: Puppet for Everybody
Puppet Camp DC: Puppet for EverybodyPuppet Camp DC: Puppet for Everybody
Puppet Camp DC: Puppet for Everybody
 
What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5What's New in Puppet Enterprise 2016.5
What's New in Puppet Enterprise 2016.5
 
Network Automation at Shapeways
Network Automation at ShapewaysNetwork Automation at Shapeways
Network Automation at Shapeways
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5Introduction to Puppet Enterprise 2016.5
Introduction to Puppet Enterprise 2016.5
 
Introduction to Puppet Enterprise
Introduction to Puppet EnterpriseIntroduction to Puppet Enterprise
Introduction to Puppet Enterprise
 

Similaire à Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014

How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
Spyros Trigazis
 
Kickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_TemplateKickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_Template
Luca Viscomi
 
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Redis Labs
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
jvehent
 

Similaire à Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014 (20)

CoreOS in anger : firing up wordpress across a 3 machine CoreOS cluster
CoreOS in anger : firing up wordpress across a 3 machine CoreOS cluster CoreOS in anger : firing up wordpress across a 3 machine CoreOS cluster
CoreOS in anger : firing up wordpress across a 3 machine CoreOS cluster
 
How to build and run oci containers
How to build and run oci containersHow to build and run oci containers
How to build and run oci containers
 
Kickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_TemplateKickstat File_Draft_ESXI5.1_Template
Kickstat File_Draft_ESXI5.1_Template
 
Couch to OpenStack: Glance - July, 23, 2013
Couch to OpenStack: Glance - July, 23, 2013Couch to OpenStack: Glance - July, 23, 2013
Couch to OpenStack: Glance - July, 23, 2013
 
Development Workflows on AWS
Development Workflows on AWSDevelopment Workflows on AWS
Development Workflows on AWS
 
Spring MVC - The Basics
Spring MVC - The BasicsSpring MVC - The Basics
Spring MVC - The Basics
 
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
Real Time Health Analytics With WebSockets Python 3 and Redis PubSub: Benjami...
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
IP Addresses
IP AddressesIP Addresses
IP Addresses
 
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean WinnCouch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
Couch to OpenStack: Neutron (Quantum) - August 13, 2013 Featuring Sean Winn
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access ControlOAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
 
VMworld 2013: The Story Behind Designing and Building a Distributed Automatio...
VMworld 2013: The Story Behind Designing and Building a Distributed Automatio...VMworld 2013: The Story Behind Designing and Building a Distributed Automatio...
VMworld 2013: The Story Behind Designing and Building a Distributed Automatio...
 
Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013Couch to OpenStack: Nova - July, 30, 2013
Couch to OpenStack: Nova - July, 30, 2013
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CML
 
EvasionTechniques
EvasionTechniquesEvasionTechniques
EvasionTechniques
 
Fosscon 2012 firewall workshop
Fosscon 2012 firewall workshopFosscon 2012 firewall workshop
Fosscon 2012 firewall workshop
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
 
MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527MySQL 5.7 innodb_enhance_partii_20160527
MySQL 5.7 innodb_enhance_partii_20160527
 
(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud(NET301) New Capabilities for Amazon Virtual Private Cloud
(NET301) New Capabilities for Amazon Virtual Private Cloud
 
AWS ground zero; EC2 & S3 hands-on
AWS ground zero; EC2 & S3 hands-onAWS ground zero; EC2 & S3 hands-on
AWS ground zero; EC2 & S3 hands-on
 

Plus de Puppet

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
Puppet
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
Puppet
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
Puppet
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
Puppet
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
Puppet
 

Plus de Puppet (20)

Puppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepoPuppet camp2021 testing modules and controlrepo
Puppet camp2021 testing modules and controlrepo
 
Puppetcamp r10kyaml
Puppetcamp r10kyamlPuppetcamp r10kyaml
Puppetcamp r10kyaml
 
2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)2021 04-15 operational verification (with notes)
2021 04-15 operational verification (with notes)
 
Puppet camp vscode
Puppet camp vscodePuppet camp vscode
Puppet camp vscode
 
Modules of the twenties
Modules of the twentiesModules of the twenties
Modules of the twenties
 
Applying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance codeApplying Roles and Profiles method to compliance code
Applying Roles and Profiles method to compliance code
 
KGI compliance as-code approach
KGI compliance as-code approachKGI compliance as-code approach
KGI compliance as-code approach
 
Enforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automationEnforce compliance policy with model-driven automation
Enforce compliance policy with model-driven automation
 
Keynote: Puppet camp compliance
Keynote: Puppet camp complianceKeynote: Puppet camp compliance
Keynote: Puppet camp compliance
 
Automating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNowAutomating it management with Puppet + ServiceNow
Automating it management with Puppet + ServiceNow
 
Puppet: The best way to harden Windows
Puppet: The best way to harden WindowsPuppet: The best way to harden Windows
Puppet: The best way to harden Windows
 
Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020Simplified Patch Management with Puppet - Oct. 2020
Simplified Patch Management with Puppet - Oct. 2020
 
Accelerating azure adoption with puppet
Accelerating azure adoption with puppetAccelerating azure adoption with puppet
Accelerating azure adoption with puppet
 
Puppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael PinsonPuppet catalog Diff; Raphael Pinson
Puppet catalog Diff; Raphael Pinson
 
ServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin ReeuwijkServiceNow and Puppet- better together, Kevin Reeuwijk
ServiceNow and Puppet- better together, Kevin Reeuwijk
 
Take control of your dev ops dumping ground
Take control of your dev ops dumping groundTake control of your dev ops dumping ground
Take control of your dev ops dumping ground
 
100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software100% Puppet Cloud Deployment of Legacy Software
100% Puppet Cloud Deployment of Legacy Software
 
Puppet User Group
Puppet User GroupPuppet User Group
Puppet User Group
 
Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick MaludyThe Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
The Dynamic Duo of Puppet and Vault tame SSL Certificates, Nick Maludy
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014

  • 1. 2014 Presented by Cloudy with a chance of Fireballs Managing Trusted Instances in the Cloud ! ! ! ! eric sorenson eric.sorenson@puppetlabs.com
  • 2. Presented by What’s the problem? Why you might care End to End Overview Walkthrough w/ AWS Related work
  • 6. Presented by Why you might care
  • 11. Presented by +-------------------------------+ +-----------+ | | | | | Amazon EC2 API <--------+provisioner| +---------------------^---------+ +-----------+ | | +-------+ +------+---------+ | | | | | node1 +------> puppetmaster | +-------+ +----------------+ ! ! Follow along at home: https://github.com/ahpook/mrzarquon-certsigner/tree/eric0-wip
  • 12. Presented by ! +----------------------------+ Prerequisites: |                            |      - Puppetmaster w/IAM credentials |  Amazon EC2 API            | <--+  and autosign policy configured |                            |       | | - AMI with user-data install or +----------------------------+ preloaded agent+ec2-utils, IAM policy permitting query tags !
  • 13. Presented by { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1411031868000", "Effect": "Allow", "Action": [ "ec2:DescribeTags" ], "Resource": [ "*" ] } ] }
  • 14. Presented by +----------------------------+ | | | Amazon EC2 API | | | +------^---------------------+ | +------+------+ | | Your provisioning node requests | Provisioner | <-------+ some new instances using that image, | | tagging them w/ role: 'webserver' +-------------+
  • 15. Presented by [vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107 --region=us-west-2 --instance-tags=role=webserver --type=t1.micro --keyname=certsigner --security-group=webservers Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634), ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8 Info: Connecting to AWS us-west-2 ... Done Info: Instance Type: t1.micro Notice: Creating new instance ... Done Info: Instance identifier: i-abc8f0a6 Notice: Creating tags for instance ... Info: Creating tag for Created-By ... Done Info: Creating tag for role ... Done Notice: Creating tags for instance ... Done Notice: Launching server i-abc8f0a6 ... ##### Notice: Server i-abc8f0a6 is now launched Notice: Server i-abc8f0a6 public dns name: ec2-54-68-132-30.us-west-2.compute.amazonaws.com
  • 16. Presented by +---------------------------------+ | | | Amazon EC2 + using your image | | | EC2 builds your instances, +----+-----------+-----------+----+ running the user-data script | | | which drops instance-specific | | | metadata into csr_attributes.yaml +---v---+ +---v---+ +---v---+ + | | | | | | | | node1 | | node2 | | node3 | <----------------+ +-------+ +-------+ +-------+
  • 19. Presented by +-------------------------------+ | | Each node generates a CSR which | Amazon EC2 API | embeds the metadata as requested +---------------------^---------+ attributes and submits it to the | puppetmaster, which checks the | instance-ID against EC2 to verify +-------+ +------+---------+ it came from a valid instance. | | | | | node1 +------> puppetmaster | +-------+ +----------------+
  • 20. Presented by +-------------------------------+ | | If the API is OK, the puppetmaster | Amazon EC2 API | signs the CSR, moving the tags, +---------------------+---------+ instance-id and any other metadata in | whitelisted extension requests | inside the signed certificate. The +-------+ +------v---------+ signed cert is retrieved by the node | | | | and normal Puppet runs can begin. | node1 <------+ puppetmaster | +-------+ +----------------+
  • 21. Presented by openssl x509 -noout -text -in /var/lib/puppet/ssl/ca/signed/i-f3cef5fe.pem [ ... tons of crap trimmed ... ] X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate 1.3.6.1.4.1.34380.1.1.5: webserver 1.3.6.1.4.1.34380.1.1.3: ami-37713107 1.3.6.1.4.1.34380.1.1.2: i-f3cef5fe
  • 22. Presented by ! +-------+ +----------------+ When the node checks in, the extensions | | | | will be available under the '$trusted' | node1 +----> puppetmaster | top-scope hash for classification, +-------+ +----------------+ manifests, etc. ! # puppet.conf [master] trusted_node_data = true immutable_node_data = true !
  • 23. Presented by ## site.pp node default { notify { "trusted_data": message => inline_template("<%= scope.lookupvar('trusted').inspect %>") } } ! ## agent output Notice: /Stage[main]/Main/Node[default]/Notify[trusted_data]/message: defined 'message' as ' {"certname"=>"i-f3cef5fe", "authenticated"=>"remote", "extensions"=>{"pp_instance_id"=>"i-f3cef5fe", "pp_image_name"=>"ami-37713107", "1.3.6.1.4.1.34380.1.1.5"=>"webserver"}}'
  • 24. Presented by Related and future work ! Signing policy for AWS: mrzarquon-certsigner Signing policy for GCE: puppetlabs-gce_compute Signing policy for in-house CMDBs? Puppet Enterprise Node Manager
  • 27. Presented by Photo/Link Credits CERN - http://www.slideshare.net/gmccance/cern-data-centre-evolution Google maps screenshot of Apple Data Center - fair use, with attribution inline Imagery (c) 2014 Google NSA HQ, fort meade - "National Security Agency headquarters, Fort Meade, Maryland" by Unknown - http:// www.nsa.gov/about/photo_gallery/gallery.shtml. Licensed under Public domain via Wikimedia Commons - http:// commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg#mediaviewer/ File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg Bitcoin mining rigs from buttcoin.org http://buttcoin.org/mining-rigs-3 “Cloud City at Sunset” http://balsavor.deviantart.com/art/The-Falcon-escapes-Cloud-city-143511722 han and Lando Mario Fireball - from http://www.giantbomb.com/fireball/3055-120/ © Yorkberlin | Dreamstime.com - Sorceress With Fireball Photo