4. Groovy for System Administrators
“System Administration is a
multi-faceted problem domain,
not dissimilar from
programming.”
- Me, just now.
5. Groovy for System Administrators
At a high level...
Provisioning
Deployment
Management
6. Groovy for System Administrators
Provisioning
./“Building” the server
./Creating installation media
./Installing the server
7. Groovy for System Administrators
Deployment
./Getting our app on the server
./Making sure it runs there
./Managing environment dependencies
8. Groovy for System Administrators
Management
./Maintaining users
./Managing resource authorization
./Designing security
9. Groovy for System Administrators
“We need to rethink the way
that we build and work with
server environments.”
- Me, just now.
10. Groovy for System Administrators
Environment Considerations
./Disaster Recovery
./Auditing
./Testing (Test Network)
11. Groovy for System Administrators
Environment Considerations
Should be able to rapidly recover
or reproduce an environment from
configuration and archives
12. Groovy for System Administrators
Programmatic Strategy
./Download install media
./Modify with kickstart
./Produce and archive reusable
install media
13. Groovy for System Administrators
Build Servers with Gradle
./“Version Control” the infrastructure
./Integrate with CI
./Archive “Builds” for
recovery/regeneration purposes
./Whole environment build and deploy
14. Groovy for System Administrators
Provisioning Gradle Plugin
http://github.com/danveloper/provisioning-gradle-plugin
15. Groovy for System Administrators
Provisioning and Deployment Through CI
“qa-web-server”
--- application-services (rabbitmq)
`-- build: jar, packaging: rpm
`-- deployment: “Network Yum Repo”
--- application-webapp (grails)
`-- build: war, packaging: rpm
`-- deployment: “Network Yum Repo”
16. Groovy for System Administrators
Authentication Hacking
.with(Groovy)
17. Groovy for System Administrators
Pluggable Authentication Modules
*
*
*
*
Account Details
Authentication
Password Changes
Session Interaction
18. Groovy for System Administrators
PAM Account & Authentication
./LDAP Integration (pam_ldap)
./Active Directory
./Radius
./etc...
19. Groovy for System Administrators
PAM Account & Authentication
Why not Spring Security from
Grails?
20. Groovy for System Administrators
Pluggable Authentication Modules
pam_exec.so – allows an
external script to provide
for any layer of the PAM
stack
21. Groovy for System Administrators
PAM Account & Authentication w/ Grails
Add to /etc/pam.d/login:
auth
account
sufficient
sufficient
pam_exec.so debug expose_authtok /etc/security/onauth
pam_exec.so /etc/security/onaccount
Create /etc/security/onauth script and mark it executable:
#!/bin/sh
pass=`cat`;
result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/grails-springsec/auth)
if [ "$result" != "success" ]; then
exit 1;
else
/usr/sbin/useradd $PAM_USER -m -k /etc/skel
exit 0;
fi
22. Groovy for System Administrators
Kernel Hacking
.with(Groovy)
#include <linux/kernel.h>
#include <linux/module.h>
#include “groovy.h”
#define
#define
#define
#define
ITEM_1
ITEM_2
ITEM_3
ITEM_4
“Kernel Space IPC with User Space Groovy”
“sys_call_table manipulation”
“syscall hacking for Groovy-defined ruleset”
“Groovy DSLs for every occasion!”
23. Groovy for System Administrators
Kernel Hacking
The Kernel is modular, allows influence from
external sources
Provides a variety of “hooks” into nearly all
aspects of the server and its state
Handling of logistical operations, like metrics and
reporting
Influence over nearly all of the server’s operation
24. Groovy for System Administrators
Kernel Space IPC w/ User Space Groovy
Kernel Memory
Userland Memory
procfs
netlink
Kernel Processes
mmap
udp
Userland Processes
25. Groovy for System Administrators
Groovy ACL DSL for Filesystem Behavior
mkdir()
MKDIR
syscall
table
__NR_mkdir
mkdir_code
filesystem
26. Groovy for System Administrators
Groovy ACL DSL for Filesystem Behavior
MKDIR
mkdir()
original
mkdir_code
syscall
table
intercepted
mkdir_code
filesystem
27. Groovy for System Administrators
Kernel Hacking
Other Thing We Might Do...
Packet inspection (a la IDS)
Network manipulation (rewrite headers,
compression, etc)
Tag packets, and correlate with
process/application
User and application oriented metrics gathering
28. Groovy for System Administrators
try {
“Groovy for System Administrators”()
} finally {
Utilize.groovy() as FullstackInfrastructureComponent
}
The end.
Editor's Notes
in any non-trivial environment, need to build thing in standard way, or at least in a way that somebody else can reproduce
“build servers and environments like we build code projects”
organizations are steadily shifting from systems-centric to software-centric environments. Why not have your already-robust application authentication manage your server-authentication as well?
Tagging packets may allow for a correlation of application user to incoming server packet, may be useful for issue debugging (jetty ajp issue)May want to make a call to the hypervisor to hot-plug a cpu or memory as needed