SlideShare a Scribd company logo

Cooking security sans@night

J
jtimberman
Technology
1 of 62
Download to read offline
Cooking Security Speaker: Joshua Timberman Technical Evangelist ‣ joshua@opscode.com ‣ @jtimberman ‣ www.opscode.com Copyright © 2010 Opscode, Inc - All Rights Reserved 1
% whoami System Administrator Web Operations Opscode Cookbooks Training and Support Copyright © 2010 Opscode, Inc - All Rights Reserved 2
Developers? Systems Administrators? “Business” People? http://www.flickr.com/photos/timyates/2854357446/sizes/l/ Copyright © 2010 Opscode, Inc - All Rights Reserved 3
Just what is Configuration Management? Copyright © 2010 Opscode, Inc - All Rights Reserved 4
A picture is worth... Copyright © 2010 Opscode, Inc - All Rights Reserved 5
A thousand words! “... Is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org Copyright © 2010 Opscode, Inc - All Rights Reserved 6
Infrastructure as Code is... A technical domain revolving around building and managing infrastructure programmatically http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 7
Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal resources. Copyright © 2010 Opscode, Inc - All Rights Reserved 8
Understand the goals Automation Stability Scalability Security Copyright © 2010 Opscode, Inc - All Rights Reserved 9
Security Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/anonymouscollective/2291896028/ 10
Policy Compliance Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/gi/168406150/ 11
Policy Compliance Not a silver bullet Best practices, applied Copyright © 2010 Opscode, Inc - All Rights Reserved 12
template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u['uid'] group u['id'] mode "0600" variables :ssh_keys => u['ssh_keys'] end %<%= group %> ALL=(ALL) NOPASSWD: ALL Copyright © 2010 Opscode, Inc - All Rights Reserved 13
Enable the business Copyright © 2010 Opscode, Inc - All Rights Reserved 14
Auditing and Documentation Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/hryckowian/2176673733/ 15
Auditing and Documentation Declarative language Version control Copyright © 2010 Opscode, Inc - All Rights Reserved 16
package "ntp" do action :install end service "ntp" do action :start end template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644 end Copyright © 2010 Opscode, Inc - All Rights Reserved 17
% git log ntp/recipes/default.rb commit a5991547215757ed25e2944f93faa437fad1e5a5 Author: jtimberman <joshua@opscode.com> Date: Sun Sep 27 23:39:05 2009 -0600 cook-188, update copyright notices, regen metadata too commit 524ee910f391acadec52362419ce27dbdcdb9969 Author: jtimberman <joshua@opscode.com> Date: Wed Mar 4 17:08:10 2009 -0700 cook-13, add ntp cookbook Copyright © 2010 Opscode, Inc - All Rights Reserved 18
Its like built-in change management Copyright © 2010 Opscode, Inc - All Rights Reserved 19
Logging subsystems Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/mikeyworld/3588020070/ 20
Defense in Depth is hard Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/furryscalyman/2081849769/ 21
Managing Infrastructure Is Hard Has Always Been Big players 1980 1989 • Reach just a handful of large, enterprise customers 1999 • Require custom implementations with large professional services bills • Deployed exclusively on-premise 2001 • Acquired by companies with large consulting organizations (IBM, HP, CA) Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
Defense in Depth... Configuration layers Access controls Incident handling ‣ Rebuilding/redeployment Copyright © 2010 Opscode, Inc - All Rights Reserved 23
You need system integration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/opalsson/3773629074/ 24
Copyright © 2010 Opscode, Inc - All Rights Reserved 25 http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
At a High Level... ‣ A library for configuration management ‣ A configuration management system ‣ A systems integration platform ‣ An API for your entire Infrastructure http://www.flickr.com/photos/asten/2159525309/sizes/l/
Open source and community Copyright © 2010 Opscode, Inc - All Rights Reserved 27
Copyright © 2010 Opscode, Inc - All Rights Reserved 28
Ruby Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/thisisbossi/3526698689/ 29
Debian Mac OS X SuSE CentOS Gentoo Solaris ArchLinux OpenBSD Platforms Windows FreeBSD Ubuntu Red Hat Fedora Scientific Copyright © 2010 Opscode, Inc - All Rights Reserved 30
Principles Idempotent Data-driven Sane defaults TMTOWTDI Copyright © 2010 Opscode, Inc - All Rights Reserved 31
Multiple applications of an operation do not change the result Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/redjar/360111326/ 32
We start with APIs, you supply data Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/ninjanoodles/153893226/ 33
option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a Defaults are sane, but JSON file or URL", :proc => nil option :node_name, changed easily :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for this client", :proc => nil Copyright © 2010 Opscode, Inc - All Rights Reserved 34
Tim Toady is a Perl motto Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/lidarose/225156612 35
Chef... How does it work? Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/38299630@N05/3635356091/ 36
Chef Client runs on your systems Copyright © 2010 Opscode, Inc - All Rights Reserved 37
Clients talk to a Chef Server Copyright © 2010 Opscode, Inc - All Rights Reserved 38
Clients authenticate with RSA keys Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/debbcollins/3401944550/ 39
We call each system you configure a Node Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/peterrosbjerg/3913766224/ 40
Nodes have Attributes Kernel info! { "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", Platform info! "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", Hostname and IP! "uptime_seconds": 1619358 } Copyright © 2010 Opscode, Inc - All Rights Reserved 41
The server stores JSON data about Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/jurvetson/12688704/ 42
Attributes are Searchable $ knife search node ‘platform:mac_os_x’ search(:node, ‘platform:mac_os_x’) Copyright © 2010 Opscode, Inc - All Rights Reserved 43
Nodes have a Run List What Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 44
Nodes have Roles Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/ 45
Roles have a Run List What Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 46
name "webserver" description "Systems that serve HTTP traffic" run_list( "role[base]", Can include "recipe[apache2]", other roles! "recipe[apache2::mod_ssl]" ) default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] } ) override_attributes( "apache" => { "max_children" => "50" } ) Copyright © 2010 Opscode, Inc - All Rights Reserved 47
Roles are Searchable $ knife search role ‘max_children:50’ search(:role, ‘max_children:50’) Copyright © 2010 Opscode, Inc - All Rights Reserved 48
Chef manages Resources on Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved 49
remote_file link cookbook_file service ruby_block template Chef knows many different Resources execute user bash git log package deploy http_request Copyright © 2010 Opscode, Inc - All Rights Reserved 50
Resources take action through Providers Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
Resources Platform Provider http://www.flickr.com/photos/acurbelo/2628837104/sizes/o/
Recipes are lists of Resources http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 53
Order Matters Copyright © 2010 Opscode, Inc - All Rights Reserved 54
How does it help me secure my systems? Copyright © 2010 Opscode, Inc - All Rights Reserved 55
Automate your infrastructure configuration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/pickinjim/525129498 56
The Benefits of Automation Efficiency Economics Scalability Copyright © 2010 Opscode, Inc - All Rights Reserved 57
Chef automation workflow Define your policy Write policy as simple code Deploy configuration in testing Deploy in production Copyright © 2010 Opscode, Inc - All Rights Reserved 58
Infrastructure as Code Source repository Application data backup Bare metal resources Copyright © 2010 Opscode, Inc - All Rights Reserved 59
Leverage a community Open Source software Operations experts Team collaboration Copyright © 2010 Opscode, Inc - All Rights Reserved 60
Not everything can be automated Security people say “No”. This is as much culture as policy. Automating humans is hard. Copyright © 2010 Opscode, Inc - All Rights Reserved 61
Resources/Questions www.opscode.com/chef IRC and Mailing lists ‣ irc.freenode.net #chef ‣ lists.opscode.com Twitter: ‣ @opscode, #opschef ‣ @jtimberman Questions? Copyright © 2010 Opscode, Inc - All Rights Reserved 62

Recommended

Automated Configuration of Firmware
Automated Configuration of FirmwareAutomated Configuration of Firmware
Automated Configuration of FirmwareMichael Arnold
 
New Ultra Stor Raid.Ae
New Ultra Stor Raid.AeNew Ultra Stor Raid.Ae
New Ultra Stor Raid.Aeaaronesk
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10Jo Hoon
 
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™Integrating and Optimizing Suricata with FastStack™ Sniffer10G™
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™Emulex Corporation
 
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-betweenBIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-betweenAlex Hung
 
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Cisco Russia
 
Rt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows CeRt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows Ceguesta5887e6b
 

Recommended

Automated Configuration of Firmware
Automated Configuration of FirmwareAutomated Configuration of Firmware
Automated Configuration of FirmwareMichael Arnold
 
New Ultra Stor Raid.Ae
New Ultra Stor Raid.AeNew Ultra Stor Raid.Ae
New Ultra Stor Raid.Aeaaronesk
 
XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)XML Attack Surface - Pierre Ernst (OWASP Ottawa)
XML Attack Surface - Pierre Ernst (OWASP Ottawa)OWASP Ottawa
 
[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10[Python] Quick book for dell switch_os10
[Python] Quick book for dell switch_os10Jo Hoon
 
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™Integrating and Optimizing Suricata with FastStack™ Sniffer10G™
Integrating and Optimizing Suricata with FastStack™ Sniffer10G™Emulex Corporation
 
BIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-betweenBIOS, Linux and Firmware Test Suite in-between
BIOS, Linux and Firmware Test Suite in-betweenAlex Hung
 
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...
Внутренняя архитектура IOS-XE: средства траблшутинга предачи трафика на ASR1k...Cisco Russia
 
Rt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows CeRt2870 Software Release Note For Windows Ce
Rt2870 Software Release Note For Windows Ceguesta5887e6b
 
Results of testing juniper branch srx firewalls
Results of testing juniper branch srx firewallsResults of testing juniper branch srx firewalls
Results of testing juniper branch srx firewallsJuniper Networks
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告fm2008
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Building and Customizing CoreOS
Building and Customizing CoreOSBuilding and Customizing CoreOS
Building and Customizing CoreOS雄也 日下部
 
Vmware comp matrix
Vmware comp matrixVmware comp matrix
Vmware comp matrixSanjoy Dasgupta
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menujtimberman
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOpsMatt Ray
 
What Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOpsWhat Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOpsMatt Ray
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloudMichael Neale
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT SecurityHannes Tschofenig
 
Chef in the cloud [dbccg]
Chef in the cloud [dbccg]Chef in the cloud [dbccg]
Chef in the cloud [dbccg]jtimberman
 
OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!Russ Fustino
 
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...François Le Droff
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
Uss Overview Adira
Uss Overview AdiraUss Overview Adira
Uss Overview AdiraThierry CHABROL
 
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston MeetupOpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston Meetupragss
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded SystemsAnil Kumar Pugalia
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of playChris Simmonds
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 

More Related Content

What's hot

Results of testing juniper branch srx firewalls
Results of testing juniper branch srx firewallsResults of testing juniper branch srx firewalls
Results of testing juniper branch srx firewallsJuniper Networks
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionAnne Nicolas
 
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告fm2008
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96波 董
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2Oinsydesoftware
 
Building and Customizing CoreOS
Building and Customizing CoreOSBuilding and Customizing CoreOS
Building and Customizing CoreOS雄也 日下部
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 

What's hot (8)

Results of testing juniper branch srx firewalls
Results of testing juniper branch srx firewallsResults of testing juniper branch srx firewalls
Results of testing juniper branch srx firewalls
 
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solutionDistro Recipes 2013: Secure Boot and Linux: several issues, one solution
Distro Recipes 2013: Secure Boot and Linux: several issues, one solution
 
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
Aix5[1].3+hacmp+oracle9 i+weblogic8.1安装实施报告
 
Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96Ubuntu core on bubblegum 96
Ubuntu core on bubblegum 96
 
Fast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2OFast Boot Times with InsydeH2O
Fast Boot Times with InsydeH2O
 
Building and Customizing CoreOS
Building and Customizing CoreOSBuilding and Customizing CoreOS
Building and Customizing CoreOS
 
Vmware comp matrix
Vmware comp matrixVmware comp matrix
Vmware comp matrix
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 

Similar to Cooking security sans@night

Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menujtimberman
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOpsMatt Ray
 
What Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOpsWhat Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOpsMatt Ray
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT SecurityHannes Tschofenig
 
Chef in the cloud [dbccg]
Chef in the cloud [dbccg]Chef in the cloud [dbccg]
Chef in the cloud [dbccg]jtimberman
 
OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!Russ Fustino
 
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...François Le Droff
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systemsSZ Lin
 
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston MeetupOpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston Meetupragss
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded SystemsAnil Kumar Pugalia
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of playChris Simmonds
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOChris Simmonds
 
Blackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingBlackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingTom Keetch
 
Cloud Native Applications - DevOps, EMC and Cloud Foundry
Cloud Native Applications - DevOps, EMC and Cloud FoundryCloud Native Applications - DevOps, EMC and Cloud Foundry
Cloud Native Applications - DevOps, EMC and Cloud FoundryBob Sokol
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Foreman-and-Puppet-for-Openstack-Audo-Deployment
Foreman-and-Puppet-for-Openstack-Audo-DeploymentForeman-and-Puppet-for-Openstack-Audo-Deployment
Foreman-and-Puppet-for-Openstack-Audo-Deploymentyating yang
 
Machine Learning and Analytics in the Cloud on IoT Data
Machine Learning and Analytics in the Cloud on IoT DataMachine Learning and Analytics in the Cloud on IoT Data
Machine Learning and Analytics in the Cloud on IoT DataIntel® Software
 

Similar to Cooking security sans@night (20)

Automated infrastructure is on the menu
Automated infrastructure is on the menuAutomated infrastructure is on the menu
Automated infrastructure is on the menu
 
GeekAustin DevOps
GeekAustin DevOpsGeekAustin DevOps
GeekAustin DevOps
 
What Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOpsWhat Big Data Folks Need to Know About DevOps
What Big Data Folks Need to Know About DevOps
 
Sjug aug 2010_cloud
Sjug aug 2010_cloudSjug aug 2010_cloud
Sjug aug 2010_cloud
 
The Role of Standards in IoT Security
The Role of Standards in IoT SecurityThe Role of Standards in IoT Security
The Role of Standards in IoT Security
 
Chef in the cloud [dbccg]
Chef in the cloud [dbccg]Chef in the cloud [dbccg]
Chef in the cloud [dbccg]
 
OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!OutSystems: A more efficient way to build apps!
OutSystems: A more efficient way to build apps!
 
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
Flex and LiveCycle Data Services Best Practices from the Trenches (Adobe MAX ...
 
Software update for embedded systems
Software update for embedded systemsSoftware update for embedded systems
Software update for embedded systems
 
Uss Overview Adira
Uss Overview AdiraUss Overview Adira
Uss Overview Adira
 
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston MeetupOpenStack + Cloud Foundry for the OpenStack Boston Meetup
OpenStack + Cloud Foundry for the OpenStack Boston Meetup
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
Software update for IoT: the current state of play
Software update for IoT: the current state of playSoftware update for IoT: the current state of play
Software update for IoT: the current state of play
 
Quick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIOQuick and Easy Device Drivers for Embedded Linux Using UIO
Quick and Easy Device Drivers for Embedded Linux Using UIO
 
Blackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical SandboxingBlackhat EU 2011 - Practical Sandboxing
Blackhat EU 2011 - Practical Sandboxing
 
Cloud Native Applications - DevOps, EMC and Cloud Foundry
Cloud Native Applications - DevOps, EMC and Cloud FoundryCloud Native Applications - DevOps, EMC and Cloud Foundry
Cloud Native Applications - DevOps, EMC and Cloud Foundry
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Fedora15 lovelock-pres
Fedora15 lovelock-presFedora15 lovelock-pres
Fedora15 lovelock-pres
 
Foreman-and-Puppet-for-Openstack-Audo-Deployment
Foreman-and-Puppet-for-Openstack-Audo-DeploymentForeman-and-Puppet-for-Openstack-Audo-Deployment
Foreman-and-Puppet-for-Openstack-Audo-Deployment
 
Machine Learning and Analytics in the Cloud on IoT Data
Machine Learning and Analytics in the Cloud on IoT DataMachine Learning and Analytics in the Cloud on IoT Data
Machine Learning and Analytics in the Cloud on IoT Data
 

More from jtimberman

Socal piggies-app-deploy
Socal piggies-app-deploySocal piggies-app-deploy
Socal piggies-app-deployjtimberman
 
Oscon2011 tutorial
Oscon2011 tutorialOscon2011 tutorial
Oscon2011 tutorialjtimberman
 
Agile services-dev opsdays
Agile services-dev opsdaysAgile services-dev opsdays
Agile services-dev opsdaysjtimberman
 
Velocity2011 chef-workshop
Velocity2011 chef-workshopVelocity2011 chef-workshop
Velocity2011 chef-workshopjtimberman
 
Mwrc2011 cookbook design patterns
Mwrc2011 cookbook design patternsMwrc2011 cookbook design patterns
Mwrc2011 cookbook design patternsjtimberman
 
tmux lightning talk mwrc
tmux lightning talk mwrctmux lightning talk mwrc
tmux lightning talk mwrcjtimberman
 
Fosdem chef-101-app-deploy
Fosdem chef-101-app-deployFosdem chef-101-app-deploy
Fosdem chef-101-app-deployjtimberman
 
Data driven app deploys with chef frontdev
Data driven app deploys with chef frontdevData driven app deploys with chef frontdev
Data driven app deploys with chef frontdevjtimberman
 
Understanding lwrp development
Understanding lwrp developmentUnderstanding lwrp development
Understanding lwrp developmentjtimberman
 
Derailed chef update-oct2010
Derailed chef update-oct2010Derailed chef update-oct2010
Derailed chef update-oct2010jtimberman
 

More from jtimberman (10)

Socal piggies-app-deploy
Socal piggies-app-deploySocal piggies-app-deploy
Socal piggies-app-deploy
 
Oscon2011 tutorial
Oscon2011 tutorialOscon2011 tutorial
Oscon2011 tutorial
 
Agile services-dev opsdays
Agile services-dev opsdaysAgile services-dev opsdays
Agile services-dev opsdays
 
Velocity2011 chef-workshop
Velocity2011 chef-workshopVelocity2011 chef-workshop
Velocity2011 chef-workshop
 
Mwrc2011 cookbook design patterns
Mwrc2011 cookbook design patternsMwrc2011 cookbook design patterns
Mwrc2011 cookbook design patterns
 
tmux lightning talk mwrc
tmux lightning talk mwrctmux lightning talk mwrc
tmux lightning talk mwrc
 
Fosdem chef-101-app-deploy
Fosdem chef-101-app-deployFosdem chef-101-app-deploy
Fosdem chef-101-app-deploy
 
Data driven app deploys with chef frontdev
Data driven app deploys with chef frontdevData driven app deploys with chef frontdev
Data driven app deploys with chef frontdev
 
Understanding lwrp development
Understanding lwrp developmentUnderstanding lwrp development
Understanding lwrp development
 
Derailed chef update-oct2010
Derailed chef update-oct2010Derailed chef update-oct2010
Derailed chef update-oct2010
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Cooking security sans@night

  • 1. Cooking Security Speaker: Joshua Timberman Technical Evangelist ‣ joshua@opscode.com ‣ @jtimberman ‣ www.opscode.com Copyright © 2010 Opscode, Inc - All Rights Reserved 1
  • 2. % whoami System Administrator Web Operations Opscode Cookbooks Training and Support Copyright © 2010 Opscode, Inc - All Rights Reserved 2
  • 3. Developers? Systems Administrators? “Business” People? http://www.flickr.com/photos/timyates/2854357446/sizes/l/ Copyright © 2010 Opscode, Inc - All Rights Reserved 3
  • 4. Just what is Configuration Management? Copyright © 2010 Opscode, Inc - All Rights Reserved 4
  • 5. A picture is worth... Copyright © 2010 Opscode, Inc - All Rights Reserved 5
  • 6. A thousand words! “... Is a field of management that focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life. For information assurance, [it] can be defined as the management of security features and assurances through control of changes made to hardware, software, firmware, documentation, test, test fixtures, and test documentation throughout the life cycle of an information system.” - en.wikipedia.org Copyright © 2010 Opscode, Inc - All Rights Reserved 6
  • 7. Infrastructure as Code is... A technical domain revolving around building and managing infrastructure programmatically http://www.flickr.com/photos/kwerfeldein/2634561264/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 7
  • 8. Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal resources. Copyright © 2010 Opscode, Inc - All Rights Reserved 8
  • 9. Understand the goals Automation Stability Scalability Security Copyright © 2010 Opscode, Inc - All Rights Reserved 9
  • 10. Security Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/anonymouscollective/2291896028/ 10
  • 11. Policy Compliance Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/gi/168406150/ 11
  • 12. Policy Compliance Not a silver bullet Best practices, applied Copyright © 2010 Opscode, Inc - All Rights Reserved 12
  • 13. template "#{home_dir}/.ssh/authorized_keys" do source "authorized_keys.erb" owner u['uid'] group u['id'] mode "0600" variables :ssh_keys => u['ssh_keys'] end %<%= group %> ALL=(ALL) NOPASSWD: ALL Copyright © 2010 Opscode, Inc - All Rights Reserved 13
  • 14. Enable the business Copyright © 2010 Opscode, Inc - All Rights Reserved 14
  • 15. Auditing and Documentation Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/hryckowian/2176673733/ 15
  • 16. Auditing and Documentation Declarative language Version control Copyright © 2010 Opscode, Inc - All Rights Reserved 16
  • 17. package "ntp" do action :install end service "ntp" do action :start end template "/etc/ntp.conf" do source "ntp.conf.erb" owner "root" group "root" mode 0644 end Copyright © 2010 Opscode, Inc - All Rights Reserved 17
  • 18. % git log ntp/recipes/default.rb commit a5991547215757ed25e2944f93faa437fad1e5a5 Author: jtimberman <joshua@opscode.com> Date: Sun Sep 27 23:39:05 2009 -0600 cook-188, update copyright notices, regen metadata too commit 524ee910f391acadec52362419ce27dbdcdb9969 Author: jtimberman <joshua@opscode.com> Date: Wed Mar 4 17:08:10 2009 -0700 cook-13, add ntp cookbook Copyright © 2010 Opscode, Inc - All Rights Reserved 18
  • 19. Its like built-in change management Copyright © 2010 Opscode, Inc - All Rights Reserved 19
  • 20. Logging subsystems Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/mikeyworld/3588020070/ 20
  • 21. Defense in Depth is hard Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/furryscalyman/2081849769/ 21
  • 22. Managing Infrastructure Is Hard Has Always Been Big players 1980 1989 • Reach just a handful of large, enterprise customers 1999 • Require custom implementations with large professional services bills • Deployed exclusively on-premise 2001 • Acquired by companies with large consulting organizations (IBM, HP, CA) Copyright © 2010 Opscode, Inc. – Confidential – Do Not Redistribute
  • 23. Defense in Depth... Configuration layers Access controls Incident handling ‣ Rebuilding/redeployment Copyright © 2010 Opscode, Inc - All Rights Reserved 23
  • 24. You need system integration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/opalsson/3773629074/ 24
  • 25. Copyright © 2010 Opscode, Inc - All Rights Reserved 25 http://www.brooklynstreetart.com/theBlog/wp-content/uploads/2008/12/swedish_chef_bork-sleeper-cell.jpg
  • 26. At a High Level... ‣ A library for configuration management ‣ A configuration management system ‣ A systems integration platform ‣ An API for your entire Infrastructure http://www.flickr.com/photos/asten/2159525309/sizes/l/
  • 27. Open source and community Copyright © 2010 Opscode, Inc - All Rights Reserved 27
  • 28. Copyright © 2010 Opscode, Inc - All Rights Reserved 28
  • 29. Ruby Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/thisisbossi/3526698689/ 29
  • 30. Debian Mac OS X SuSE CentOS Gentoo Solaris ArchLinux OpenBSD Platforms Windows FreeBSD Ubuntu Red Hat Fedora Scientific Copyright © 2010 Opscode, Inc - All Rights Reserved 30
  • 31. Principles Idempotent Data-driven Sane defaults TMTOWTDI Copyright © 2010 Opscode, Inc - All Rights Reserved 31
  • 32. Multiple applications of an operation do not change the result Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/redjar/360111326/ 32
  • 33. We start with APIs, you supply data Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/ninjanoodles/153893226/ 33
  • 34. option :json_attribs, :short => "-j JSON_ATTRIBS", :long => "--json-attributes JSON_ATTRIBS", :description => "Load attributes from a Defaults are sane, but JSON file or URL", :proc => nil option :node_name, changed easily :short => "-N NODE_NAME", :long => "--node-name NODE_NAME", :description => "The node name for this client", :proc => nil Copyright © 2010 Opscode, Inc - All Rights Reserved 34
  • 35. Tim Toady is a Perl motto Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/lidarose/225156612 35
  • 36. Chef... How does it work? Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/38299630@N05/3635356091/ 36
  • 37. Chef Client runs on your systems Copyright © 2010 Opscode, Inc - All Rights Reserved 37
  • 38. Clients talk to a Chef Server Copyright © 2010 Opscode, Inc - All Rights Reserved 38
  • 39. Clients authenticate with RSA keys Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/debbcollins/3401944550/ 39
  • 40. We call each system you configure a Node Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/peterrosbjerg/3913766224/ 40
  • 41. Nodes have Attributes Kernel info! { "kernel": { "machine": "x86_64", "name": "Darwin", "os": "Darwin", "version": "Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010; root:xnu-1504.7.4~1/RELEASE_I386", "release": "10.4.0" }, "platform_version": "10.6.4", "platform": "mac_os_x", "platform_build": "10F569", "domain": "local", Platform info! "os": "darwin", "current_user": "jtimberman", "ohai_time": 1278602661.60043, "os_version": "10.4.0", "uptime": "18 days 17 hours 49 minutes 18 seconds", "ipaddress": "10.13.37.116", "hostname": "cider", "fqdn": "cider.local", Hostname and IP! "uptime_seconds": 1619358 } Copyright © 2010 Opscode, Inc - All Rights Reserved 41
  • 42. The server stores JSON data about Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/jurvetson/12688704/ 42
  • 43. Attributes are Searchable $ knife search node ‘platform:mac_os_x’ search(:node, ‘platform:mac_os_x’) Copyright © 2010 Opscode, Inc - All Rights Reserved 43
  • 44. Nodes have a Run List What Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 44
  • 45. Nodes have Roles Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/laenulfean/374398044/ 45
  • 46. Roles have a Run List What Roles or Recipes to apply in Order Copyright © 2010 Opscode, Inc - All Rights Reserved 46
  • 47. name "webserver" description "Systems that serve HTTP traffic" run_list( "role[base]", Can include "recipe[apache2]", other roles! "recipe[apache2::mod_ssl]" ) default_attributes( "apache" => { "listen_ports" => [ "80", "443" ] } ) override_attributes( "apache" => { "max_children" => "50" } ) Copyright © 2010 Opscode, Inc - All Rights Reserved 47
  • 48. Roles are Searchable $ knife search role ‘max_children:50’ search(:role, ‘max_children:50’) Copyright © 2010 Opscode, Inc - All Rights Reserved 48
  • 49. Chef manages Resources on Nodes Copyright © 2010 Opscode, Inc - All Rights Reserved 49
  • 50. remote_file link cookbook_file service ruby_block template Chef knows many different Resources execute user bash git log package deploy http_request Copyright © 2010 Opscode, Inc - All Rights Reserved 50
  • 51. Resources take action through Providers Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/affableslinky/562950216/ 51
  • 53. Recipes are lists of Resources http://www.flickr.com/photos/roadsidepictures/2478953342/sizes/o/ Copyright © 2010 Opscode, Inc - All Rights Reserved 53
  • 54. Order Matters Copyright © 2010 Opscode, Inc - All Rights Reserved 54
  • 55. How does it help me secure my systems? Copyright © 2010 Opscode, Inc - All Rights Reserved 55
  • 56. Automate your infrastructure configuration Copyright © 2010 Opscode, Inc - All Rights Reserved http://www.flickr.com/photos/pickinjim/525129498 56
  • 57. The Benefits of Automation Efficiency Economics Scalability Copyright © 2010 Opscode, Inc - All Rights Reserved 57
  • 58. Chef automation workflow Define your policy Write policy as simple code Deploy configuration in testing Deploy in production Copyright © 2010 Opscode, Inc - All Rights Reserved 58
  • 59. Infrastructure as Code Source repository Application data backup Bare metal resources Copyright © 2010 Opscode, Inc - All Rights Reserved 59
  • 60. Leverage a community Open Source software Operations experts Team collaboration Copyright © 2010 Opscode, Inc - All Rights Reserved 60
  • 61. Not everything can be automated Security people say “No”. This is as much culture as policy. Automating humans is hard. Copyright © 2010 Opscode, Inc - All Rights Reserved 61
  • 62. Resources/Questions www.opscode.com/chef IRC and Mailing lists ‣ irc.freenode.net #chef ‣ lists.opscode.com Twitter: ‣ @opscode, #opschef ‣ @jtimberman Questions? Copyright © 2010 Opscode, Inc - All Rights Reserved 62