Learning from the Mistakes that even Big Projects make - Michael Still, Aptira

•

0 gefällt mir•379 views

Since 2011, I've worked on a large Open Source project in python. It kind of got out of hand -- 1000s of developers and millions of lines of code. Yet despite being well resourced, we made the same mistakes that those tiny scripts you whip up to solve a small problem make. Come learn from our fail. Python, PyCon, PyConAU, australia, programming, sydney This video is licensed under CC BY 3.0 AU ‹https://creativecommons.org/licenses/.... PyCon Australia (“PyCon AU”) is the national conference for the Python Programming Community, bringing together professional, student and enthusiast developers with a love for developing with Python. PyCon AU, the national Python Language conference, is on again this August in Sydney, at the International Convention Centre, Sydney, August 24 - 28 2018. Python, PyCon, PyConAU

Technologie

Learning from the mistakes
that even big projects make
Michael Still

Room full of system
admins as a service
Introduction
OpenStack

sudo
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

sudo
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Only allow sudo to run ls
%sudo ALL=/bin/ls

Actionable thing 1
Don’t assume someone else
will solve the problem for you

rootwrap
sudo nova-rootwrap /etc/nova/rootwrap.conf /bin/ls /etc

Actionable thing 2
Is there a trivial change you can make
that will drastically improve security?

Actionable thing 3
What are the costs of your design?

Which of these are
reasonable?
shred –n3 –sSIZE PATH
touch PATH
rm –rf PATH
mkdir –p PATH

Or my personal
favourite
utils.execute('tee',
('/sys/class/net/%s/bridge/multicast_snooping'%
br_name),
process_input='0',
run_as_root=True,
check_exit_code=[0,1])

Or my personal
favourite
with open(('/sys/class/net/%s/bridge/multicast_snooping'%
br_name), 'w') as f:
f.write('0')

Actionable thing 4
Hire Angus Lees and then make him angry

Not my cup of tee
@nova.privsep.sys_admin_pctxt.entrypoint
def disable_multicast_snooping(bridge):
path = ('/sys/class/net/%s/bridge/multicast_snooping'%
bridge)
if not os.path.exists(path):
raise exception.FileNotFound(file_path=path)
with open(path, 'w') as f:
f.write('0')

Actionable thing 4
Make it easy to do the right thing,
and hard to do the wrong thing.

Other privsep details
Other things to know about privsep

Summary
So here’s a quick summary of my actionable points for this talk:
• Don’t assume someone else will solve the problem for you.
• Are there trivial changes you can make that will drastically improve
security?
• Think about the costs of your design.
• Hire smart people and let them be annoyed about things that have always
“just been than way”. Let them fix those things.
• Make it easy to do things the right way and hard to do things the wrong
way.

And a final note
I really struggled with writing these slides, so in the end I wrote this talk up as
a blog post first and then turned it into slides. You can find the blog post
version of this talk at:
http://madebymikal.com/python/
I’d be happy to help people get privsep into their code, and its very usable
outside of OpenStack. There are a couple of blog posts about that on my site:
http://www.madebymikal.com/?s=privsep
But feel free to contact me at mikal@stillhq.com if you’d like to chat.

https://aptira.com
Australia freecall: 1800 APTIRA
International: +612 8030 2333
Follow:@aptira

Weitere ähnliche Inhalte

Mehr von OpenStack

Audience Level All levels Synopsis OpenStack offers many advantages for organisations building out their cloud environments, including flexibility and community-driven innovation. However, enterprises looking to deploy OpenStack in production typically find its storage management capabilities wanting from the perspective of management complexity and business resiliency. Enterprises are also challenged when it comes to ensuring protection of their data and providing the necessary performance – especially for their tier one applications. Meeting these fundamental needs is critical for enterprises to proceed confidently with their OpenStack deployments. Veritas HyperScale for OpenStack is a software-defined storage management solution uniquely developed for OpenStack based clouds. It leverages direct attached storage (DAS) and provides enterprise-strength capabilities that enable robust, production-scale deployment while meeting performance and data protection needs. Learn how this innovative solution, coupled with other relevant Veritas offerings, solve the remaining issues around implementing OpenStack within the enterprise. Speaker Bio: Tarso dos Santos works as a Technical Account Manager at Veritas, directly engaging with customers to develop strategies, architectures and solutions with focus on Cloud – Openstack, Containers, Data Protection, High Availability and Compliance. He has over 21 years in the IT industry architecting, delivering and positioning solutions such as private clouds, distributed systems, hpc, storage, and high available platforms. Tarso has a great interest in distributed systems performance, and scientific organizations that push the boundaries of existing technologies, but also need to link these into the Enterprise. Tarso in his life has enjoyed working in some of the most amazing projects ranging from mission critical systems protecting Australian lives, to IT infrastructure projects that are looking at the sky and discovering new planets out in the space. OpenStack Australia Day Melbourne 2017 https://events.aptira.com/openstack-australia-day-melbourne-2017/

Enabling OpenStack for Enterprise - Tarso Dos Santos, Veritas

OpenStack

Audience Level Intermediate Synopsis Ceph – the most popular storage solution for OpenStack – stores all data as a collection of objects. This object store was originally implemented on top of a POSIX filesystem, an approach that turned out to have a number of problems, notably with performance and complexity. BlueStore, a new storage backend for Ceph, was created to solve these issues; the Ceph Jewel release included an early prototype. The code and on-disk format were declared stable (but experimental) for Ceph Kraken, and now in the upcoming Ceph Luminous release, BlueStore will be the recommended default storage backend. With a 2-3x performance boost, you’ll want to look at migrating your Ceph clusters to BlueStore. This talk goes into detail about what BlueStore does, the problems it solves, and what you need to do to use it. Speaker Bio: Tim works for SUSE, hacking on Ceph and related technologies. He has spoken often about distributed storage and high availability at conferences such as linux.conf.au. In his spare time he wrangles pigs, chickens, sheep and ducks, and was declared by one colleague “teammate most likely to survive the zombie apocalypse”.

Understanding blue store, Ceph's new storage backend - Tim Serong, SUSE

OpenStack

Audience Level Beginner Synopsis Layer 2 versus Layer 3, MLAG, Spanning-Tree, switch mechanism drivers, overlays and routing-on-the-host — What scales and what does not? The underlying plumbing of an OpenStack network is something you’d rather not have to think about. This presentation examines the network architectures of web-scale and large enterprise OpenStack users and how those same efficiencies can be used in deployments of all sizes. Speaker Bio: Scott is a Member of Technical Staff at Cumulus Networks where he designs, supports and deploys web-scale technologies and architectures in enterprise networks globally. Prior to becoming a founding member of the Cumulus office in Australia, Scott started his career as a network administrator before joining Cisco Systems to support their data centre products. OpenStack Australia Day Melbourne 2017 https://events.aptira.com/openstack-australia-day-melbourne-2017/

OpenStack Networks the Web-Scale Way - Scott Laffer, Cumulus Networks

OpenStack

Audience Level Intermediate Synopsis Data Analytics is a hot topic today for most organisations as they race to convert vast amounts of data into useful information that can be leveraged to make critical decisions or recommendations in a very limited time window. Today, there is a widely accepted talent gap when it comes to creating and managing Hadoop Clusters. Even for the experts can take hours (or days) to get a fully functional Hadoop farm up and running. On top of that it can be difficult to find java programmers that have enough experience to be productive with Map Reduce. OpenStack Sahara is looking to address most of this challenges by facilitating the deployment of Hadoop clusters and provide a set of API to provide data processing tasks. This session will provide an insight into OpenStack Sahara capabilities and how the end users can leverage on it. Speaker Bio: Alex has been working with Open Source enterprise technologies for the better part of his 15 years IT career in companies like Hewlett-Packard Enterprise, Red Hat, IBM and Sun Microsystems. He started his OpenStack journey with Grizzly, delivering the first HPC cloud in APAC for a Singapore University making use of SRIOV technologies combined with big data. He has extensive deployment experience on configuration management and automation of private cloud based on OpenStack. Alex is currently an APJ Cloud Consultant in the Helion Cloud team at Hewlett-Packard Enterprise, where he evangelizes the OpenSource side of the Helion portfolio (OpenStack / Docker / Ceph). He enjoys running automation workshops and seminars in the APJ region for cloud adopters.

Diving in the desert: A quick overview into OpenStack Sahara capabilities - A...

OpenStack

Audience Level Intermediate Synopsis M3 is the latest generation system of the MASSIVE project, an HPC facility specializing in characterization science (imaging and visualization). Using OpenStack as the compute provisioning layer, M3 is a hybrid HPC/cloud system, custom-integrated by Monash’s R@CMon Research Cloud team. Built to support Monash University’s next-gen high-throughput instrument processing requirements, M3 is half-half GPU-accelerated and CPU-only. We’ll discuss the design and tech used to build this innovative platform as well as detailing approaches and challenges to building GPU-enabled and HPC clouds. We’ll also discuss some of the software and processing pipelines that this system supports and highlight the importance of tuning for these workloads. Speaker Bio Blair Bethwaite: Blair has worked in distributed computing at Monash University for 10 years, with OpenStack for half of that. Having served as team lead, architect, administrator, user, researcher, and occasional hacker, Blair’s unique perspective as a science power-user, developer, and system architect has helped guide the evolution of the research computing engine central to Monash’s 21st Century Microscope. Lance Wilson: Lance is a mechanical engineer, who has been making tools to break things for the last 20 years. His career has moved through a number of engineering subdisciplines from manufacturing to bioengineering. Now he supports the national characterisation research community in Melbourne, Australia using OpenStack to create HPC systems solving problems too large for your laptop.

Building a GPU-enabled OpenStack Cloud for HPC - Blair Bethwaite, Monash Univ...

OpenStack

Audience Level All levels Synopsis Peter has been involved in OpenStack community since its B-release, and he has been enabling and helping customers across various industries adopt OpenStack in strategic ways. In this session, you will learn from his experience what Red Hat’s perspective is on the current state of affairs in the OpenStack community and the path we see ahead that Red Hat is putting its efforts in. OpenStack is not a product that tries to solve any one business problem in particular, but a technology that aims to be usable for many – what are the required steps to make sure that your organisation is ready for the OpenStack-based cloudification and transformation. Speaker Bio: Peter Jung is a Senior Business Development Manager at Red Hat where he leads the practice in the areas of Cloud, SDN/NFV and IoT across Australia and New Zealand. He is passionate about open innovation and open source software development model as the foundation for next generation society and ICT systems. Prior to Red Hat, he had various roles at Cisco and Dell for 15 years. He holds a BSEE and an MBA. OpenStack Australia Day Melbourne 2017 https://events.aptira.com/openstack-australia-day-melbourne-2017/

OpenStack and Red Hat: How we learned to adapt with our customers in a maturi...

OpenStack

Audience Level Intermediate Synopsis The latest SDN revolution is centered on creating efficient virtualized data center networks using VXLAN & EVPN. We will talk about the scale, performance, and cost advantages of using a modern controller-free virtualized network solution built on 100 Gigabit Ethernet switches with hardware based VXLAN Routing. We will explore the ease of automating such a network in an OpenStack environment and take you through a real world use case of using OpenStack Network Node bridging between a bare metal cloud (EVPN) and a fully virtualized cloud environments (orchestrated by Neutron). Speaker Bio: David has held leadership roles at 3COM, Cisco Systems, Nortel Networks, and IBM where he promoted advanced network technologies including High Speed Ethernet, Layer 4-7 switching, Virtual Machine-aware networking, and Software Defined Networking. David’s current focus is on the evolving landscape of data center networking, scale out storage, Open Networking, and cloud computing.

Meshing OpenStack and Bare Metal Networks with EVPN - David Iles, Mellanox Te...

OpenStack

Audience Level Intermediate Synopsis High performance computing and cloud computing have traditionally been seen as separate solutions to separate problems, dealing with issues of performance and flexibility respectively. In a diverse research environment however, both sets of compute requirements can occur. In addition to the administrative benefits in combining both requirements into a single unified system, opportunities are provided for incremental expansion. The deployment of the Spartan cloud-HPC hybrid system at the University of Melbourne last year is an example of such a design. Despite its small size, it has attracted international attention due to its design features. This presentation, in addition to providing a grounding on why one would wish to build an HPC-cloud hybrid system and the results of the deployment, provides a complete technical overview of the design from the ground up, as well as problems encountered and planned future developments. Speaker Bio Lev Lafayette is the HPC and Training Officer at the University of Melbourne. Prior to that he worked at the Victorian Partnership for Advanced Computing for several years in a similar role.

The Why and How of HPC-Cloud Hybrids with OpenStack - Lev Lafayette, Universi...

OpenStack

Ironically, Infrastructure Doesn't Matter - Quinton Anderson, Commonwealth Ba...

OpenStack

Audience Level Intermediate Synopsis Hostworks is a part of the Inabox group and an Australian based Managed Hosting and Services Provider with a strong background in management of infrastructure, servers, and applications following Traditional Enterprise management practices. 2 years ago, we began our transition to adopt and deploy cloud technologies and mindsets with an on On-Premises OpenStack platform as part of a larger hybrid cloud offering. This presentation details how we did it, what went wrong, and what went right, important lessons and recommendations for other businesses who wish to follow the same path. Speaker Bio: Daniel is Platform Engineer at Hostworks and specialises in their On-Premises OpenStack cloud offering.

Traditional Enterprise to OpenStack Cloud - An Unexpected Journey

OpenStack

Building a GPU-enabled OpenStack Cloud for HPC - Lance Wilson, Monash University

OpenStack

Monitoring Uptime on the NeCTAR Research Cloud - Andy Botting, University of ...

OpenStack

Containers and OpenStack Audience: Intermediate Topic: Infrastructure Abstract: Containers are the new darling of the development world, and many are calling for an end of the IaaS world. But there are still key reasons that IaaS is important even as Container based development becomes the desired path for the development community. We will review containers in the context of their growth in popularity, and look at how OpenStack both continues to support and enable Container solutions, and the latest developments in OpenStack as a containerized solution directly. Speaker Bio: Marc Van Hoof, Kumulus Marc van Hoof has been in the technology industry for over 20 years, focused on developing, deploying, and scaling internet applications. He was part of a team that built the first internet data centre in Australia, has worked on some of the largest online real-time events, and advises companies on how to take advantage of the true benefits of migrating to the cloud. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Containers and OpenStack: Marc Van Hoof, Kumulus: Containers and OpenStack

OpenStack

Moving to Cloud for Good. Audience: Intermediate Topic: User Stories Abstract: Chase to be compliant when you work with gov systems. – Planning your move from traditional infrastructure to cloud. – Rolling out CoreOs and Windows in the cloud as a part of infrastructure. Tough journey. – Security in Openstack. How we passed IRAP assessment to ISM. Always hard to explain why software replace hardware. – Swift. Good and bad parts. – When to complain about OpenStack or Infrastructure. Speaker Bio: Alexander Tsirel, HiveTec Senior Developer/Devops in HiveTec. Moved from Estonia to join a huge project about building software deeply integrated with government Employment Services. Specialising in infrastructure architecting, cloud automation, continuous integration. Working on infrastructure scaling for resource-hungry applications grid bundling docker, windows server, swift in one in our mission critical system. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Moving to Cloud for Good: Alexander Tsirel, HiveTec

OpenStack

Audience: All levels Topic: OpenStack Keynote Abstract: Fresh from the OpenStack Summit in Barcelona, David and Tom will conduct an interactive QA session, discuss several hot industry topics, including: Containers and OpenStack being the fastest way for Enterprise to get their hands on them for testing. Security and OpenStack being the leading cloud for this capability as per Linux award. Multi-cloud and forthcoming cross-cloud applications. To support these high level themes David and Tom will look to highlight two case studies: The UK Tax office using OpenStack for all tax payments, and The Australian Federal Gov’t investment in the NeCTAR cloud. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

We Are OpenStack: David F. Flanders & Tom Fifield, OpenStack Foundation

OpenStack

Big Data and OpenStack, a Love Story Audience: Intermediate Topic: Storage Abstract: Increasingly we’re being asked to build out clusters of machines to solve big data problems. These clusters can become quite large, reaching up to thousands of machines. Of course, our operational budgets don’t scale linearly like our machine counts do, and we’re asked to do more and more with less. This talk will explore how organisations around the world are using OpenStack to automate the management of their big data implementations, harnessing interesting characteristics of big data workloads along the way. Speaker Bio: Michael Still, Rackspace OpenStack core developer and former Nova PTL, as well as experienced software and reliability engineer. Part of the team that grew Google Mobile to being a billion dollar business. Director of linux.conf.au 2013. Author of The Definitive Guide to ImageMagick (www.imagemagickbook.com) and Practical MythTV (www.mythtvbook.com) from Apress, as well as a bunch of articles. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Big Data and OpenStack, a Love Story: Michael Still, Rackspace

OpenStack

Securing Openstack in Line with the Government ISM and PSPF controls and how to deliver High Performance OpenStack Cloud to address Government Legacy Systems Audience: Intermediate/Advanced Topic: Security, Infrastructure, Performance Abstract: As the CTO of Vault Systems, Christoph will take us through the challenges of implementing ASD’s ISM controls within Vault’s OpenStack cloud to create a Protected Certified OpenStack Platform and give a technical account of some of the optimizations he has done around Ceph on NVMe Storage to deliver High Performance Storage. Speaker Bio: Christoph Dwertmann, Vault Systems Christoph is a full stack engineer with four years of experience in deploying and securing Openstack. Fully automated software deployment and self-healing microservice containers are amongst his current interests. As the CTO of Vault Systems he recently deployed the world’s first pure NVMe Ceph cluster into production. From his previous work in network research for the National Science Foundation (NSF) he gathered in-depth knowledge spanning software-defined networks across continents. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

How to deliver High Performance OpenStack Cloud: Christoph Dwertmann, Vault S...

OpenStack

Crowbar and OpenStack Audience: Intermediate Topic: Operations Abstract: One of the greatest challenges in implementing OpenStack is the complexity in deploying and maintaining all of its many components on what can be a wide range of different hardware platforms. To mitigate this problem, SUSE has developed Crowbar, an open source deployment tool that has led to SUSE winning the “Rule the Stack” deployment competition every time it has been run. This presentation will take you through the basics of Crowbar as well as a demonstration of some of its features. Speaker Bio: Steven Kowalik, SUSE Steven Kowalik is a Sydney-based open source developer with over two decades experience contributing to major projects, including over 15 years with Debian GNU/Linux, as well as significant involvement with upstream OpenStack. Steven is currently a senior developer at SUSE, working on primarily on SUSE OpenStack Cloud and related projects. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Crowbar and OpenStack: Steve Kowalik, SUSE

OpenStack

Multiple Sites and Disaster Recovery with Ceph Audience: Intermediate Topic: Storage Abstract: Ceph is the leading storage solution for OpenStack. As OpenStack deployments become more mission critical and widely deployed, multiple site requirements are increasing as is the need to ensure disaster recovery and business continuity. Learn about the new capabilities in Ceph that assist customers with meeting these requirements for block and object uses. Speaker Bio: Andrew Hatfield, Red Hat Andrew has over 20 years experience in the IT industry across APAC, specialising in Databases, Directory Systems, Groupware, Virtualisation and Storage for Enterprise and Government organisations. When not helping customers slash costs and increase agility by moving to the software-defined storage future, he’s enjoying the subtle tones of Islay Whisky and shredding pow pow on the world’s best snowboard resorts. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat

OpenStack

Addressing Issues of Risk, and Governance in OpenStack without sacrificing Agility Audience: Intermediate Topic: Public & Hybrid Clouds Abstract: OpenStack has rapidly moved beyond the “science project” label that many of its detractors’ use, but for many stakeholders there are still many uncertainties around governance, compliance, data security and data retention. These issues are the biggest inhibitors to adoption of any cloud technology and left unanswered will slow down the adoption of OpenStack, particularly within government and highly regulated industries such as healthcare. In this presentation NetApp outlines a hybrid approach that leverages the best of open-source and next generation technologies within an OpenStack deployment, as well as a way of unifying data management across OpenStack, HyperScale public cloud and traditional Enterprise architecture that addresses these questions while providing a solid platform for rapid innovation. Speaker Bio: John Martin, NetApp John Martin is NetApp’s Director of Strategy and Technology, working as part of the Office of the CTO. Based in Sydney, John is responsible for developing and advocating NetApp’s flash portfolio across the APAC region. John is one of the driving forces behind NetApp’s continued expansion into flash and works closely with field sales, the channel and alliance technology partners to provide innovative solutions that solve customer business challenges. While John is NetApp’s flash champion, he continues to provide technology insights and market intelligence to trends that impacts both NetApp and its customers. Prior to his current role, John was NetApp’s ANZ’s principal technologist for over six years and has over 20 years experience working in the IT industry. John joined NetApp in 2006 as a systems engineer. Prior to this, he was a principal of GRID IT, where he built relationships with a variety of major storage vendors while also helping to start two storage-related businesses. At GRID IT, John was involved in senior pre-sales, consulting and training for Legato, Veritas, and StorageTek. In his spare time, John enjoys singing, writing and cooking. He also spends time researching modernist and post modernist philosophy, ancient history, social justice and global development. OpenStack Australia Day Government - Canberra 2016 https://events.aptira.com/openstack-australia-day-canberra-2016/

Addressing Issues of Risk & Governance in OpenStack without sacrificing Agili...

OpenStack

Mehr von OpenStack (20)