Configuration Services at CERN HEPiX fall 20142 Ben Jones, HEPiX Fall 2014.

Slides:

Advertisements

Similar presentations

About Me CTO, Individual Digital, Inc. (Startup) Author of ext/tidy, PHP 5 Unleashed, Zend Ent. PHP Patterns

Advertisements

Jenkins User Conference San Francisco, Sept #jenkinsconf Business Process Model & Notation (BPMN) Workflows in Jenkins Max Spring Cisco

Jenkins User Conference Jenkins User Conference San Francisco, Sept #jenkinsconf Using Jenkins in the Enterprise and the Cloud Mark Prichard Kohsuke.

27. to 28. March 2007 | Geneva, Switzerland. Fabrice Romelard ilem SA Level 200.

Update on Version Control Systems: GitLab, SVN, Git, Trac, CERNforge

Maintaining and Updating Windows Server 2008

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

CERN Cloud Infrastructure Report 2 Bruno Bompastor for the CERN Cloud Team HEPiX Spring 2015 Oxford University, UK Bruno Bompastor: CERN Cloud Report.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Getting to Push Button Deploys Moovweb January 19, 2012.

First Look Clinic: What’s New for IT Professionals in Microsoft® SharePoint® Server 2013 Sayed Ali (MCTS, MCITP, MCT, MCSA, MCSE )

 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.

Tools and software process for the FLP prototype B. von Haller 9. June 2015 CERN.

AI project components: Facter and Hiera

Platform Upgrades As A Service Raj Nagarajan, Robert Enyedi.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Presented by: Alicia Goodwin

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

Puppet with vSphere Workshop Install, configure and use Puppet on your laptop for vSphere DevOps Billy Lieberman August 1, 2015.

The Art and Zen of Managing Nagios with Puppet Michael Merideth - VictorOps

CERN IT Department CH-1211 Genève 23 Switzerland t Experiences running a production Puppet Ben Jones HEPiX Bologna Spring.

Configuration Management Evolution at CERN Gavin

Configuration Management with Cobbler and Puppet Kashif Mohammad University of Oxford.

Computer Science and Engineering The Ohio State University  Widely used, especially in the opensource community, to track all changes to a project and.

Continuous Integration and Code Review: how IT can help Alex Lossent – IT/PES – Version Control Systems 29-Sep st Forum1.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI’s user access, OpenStack security groups and firewall.

1 PUPPET AND DSC. INTRODUCTION AND USAGE IN CONTINUOUS DELIVERY PROCESS. VIKTAR VEDMICH PAVEL PESETSKIY AUGUST 1, 2015.

Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Usage of virtualization in gLite certification Andreas Unterkircher.

CERN IT Department CH-1211 Genève 23 Switzerland PES 1 Ermis service for DNS Load Balancer configuration HEPiX Fall 2014 Aris Angelogiannopoulos,

CERN IT Department CH-1211 Genève 23 Switzerland t IT Configuration Activities Gavin McCance Online Cross-experiment Meeting, 14 June 2012.

1 CERN IT Department CH-1211 Genève 23 Switzerland t Puppet in the CERN CC Tomas Karasek Steve Traylen Oct

Configuration Report 12/02/2015

Creating SmartArt 1.Create a slide and select Insert > SmartArt. 2.Choose a SmartArt design and type your text. (Choose any format to start. You can change.

Configuration Report (nearly) Christmas Edition

Scaling the CERN OpenStack cloud Stefano Zilli On behalf of CERN Cloud Infrastructure Team 2.

Configuration Report 2/5/2016 Document reference2 21/05/2015 – 28/05/2015.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES Development Workflow of the Configuration Management.

UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley

CERN IT Department CH-1211 Genève 23 Switzerland t Migration from ELFMs to Agile Infrastructure CERN, IT Department.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES AI Images, flavours and partitions Vítor Gouveia,

CERN AI Config Management 16/07/15 AI for INFN visit2 Overview for INFN visit.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Release Management for Visual Studio 2013 Ana Roje Ivančić Ognjen Bajić Ekobit.

Eliminate Team Build Headaches with Unit Tests, WiX and Virtualization Benjamin Day

Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.

Virtual Lab Overview 5/21/2015 xxxxxxxxxx NWS/MDL/CIRA.

Cloud Installation & Configuration Management. Outline  Definitions  Tools, “Comparison”  References.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES Agile Infrastructure Project Overview : Status and.

Software collaboration tools as a stack of services Borja Aparicio Cotarelo IT-PES-IS 2HEPiX Fall 2015 Workshop.

Automating operational procedures with Daniel Fernández Rodríguez - Akos Hencz -

© 2016 IBM Corporation Virtual Appliance migration self-assessment May 2016 IBM Security Identity Manager.

Platform & Engineering Services CERN IT Department CH-1211 Geneva 23 Switzerland t PES GIT Service in the Agile Infrastructure Project Vítor.

XNAT 1.7: Getting Started 6 June, Introduction In this presentation we’ll discuss:  Features and functions in XNAT 1.7  Requirements  Installing.

Wataru Takase, Tomoaki Nakamura, Yoshiyuki Watase, Takashi Sasaki

Renewal of Puppet for Australia-ATLAS

ONAP on Vagrant for ONAPers

Joonas Sirén, Technology Architect, Emerging Technologies Accenture

@ Bucharest DevOps Hacker Meetup

Web application hosting with Openshift, and Docker images

Web application hosting with Openshift, and Docker images

How to open source your Puppet configuration

Infrastructure Orchestration to Optimize Testing

Spacewalk and Koji at Fermilab

SERVICENOW ADMIN & ADVANCED ONLINE TRAINING

Enhancing Cloud Foundry with CLI Plugins

Intro to Config Management Using Salt Open Source

Scaling Puppet and Foreman for HPC

JENKINS TIPS Ideas for making your life with Jenkins easier

Presentation transcript:

Configuration Services at CERN HEPiX fall Ben Jones, HEPiX Fall 2014

Agenda Infrastructure Security Continuous Integration User Training Current Issues Community HEPiX fall 20143

Quattor at CERN Oct Nov 2014 R.I.P.

Infrastructure: puppet Puppet Masters49(46 “batch” 3 “interactive”) all VMs Puppet Clients12,814 Puppet Version , 3.4.3cern2.dirty- 1 (masters are patched, more later) Catalog requests / min140 Average compilation time 92 seconds Modules249 Top-level hostgroups138 Environments1412 “golden”: prod & qa HEPiX fall 20145

Infrastructure: Foreman HEPiX fall Servers 2x UI, 2x ENC, 2x Reports, 1x Rake tasks Running v1.3 + patches Bugs/missing features preventing upgrade Use as ENC for hostgroup membership and some variables Inventory Report Visualization Kickstart generation BMC management Not used for modules (though perhaps some use cases)

Infra: misc Git repository per hostgroup / module Homegrown tools “jens” to create manifest trees on puppet masters PuppetDB with two machines, postgres & puppetdb process some issues with postgres replication Jira & jenkins used heavily in workflow mcollective kerberos plugin for PuppetDB & foreman (sent upstream) Looking at rundeck for some automation HEPiX fall 20147

CERN Puppet user stats Module authorsHostgroup authors September HEPiX fall Modules have between 400 and 700 production commits a month Hostgroups production commits a month

Security CERN has puppet admins throughout IT department Even assuming trust across all groups one account compromise shouldn’t affect unrelated services Our git repo per hg, module should be the limit of permissions Puppet’s sweet spot may not be for this admin model HEPiX fall 20149

Pluginsync HEPiX fall

Pluginsync HEPiX fall

Pluginsync Aside from configuration in the form of puppet manifests, puppet ships “libdir” code facts functions types & providers augeas Pluginsync is process that ships libdir to clients to enable custom facts & providers to be present on client for runs All of libdir on modulepath of server is shipped to clients HEPiX fall

Wait. All of libdir on modulepath of server is shipped to clients?

Pluginsync problems Facter runs as root So does everything else of course, but _all_ facts are run _always_ Pluginsync sends all facts (and other libdir) defined in all modules In our model that means any hostgroup (nevermind module) can run arbitrary code as root on all machines HEPiX fall

3.4.3cern2.dirty-1 Patched puppet to change behaviour of pluginsync Hiera variable for “pluginsync whitelist” Extra ENC call to determine hostgroup to determine hiera lookup Hiera lookup means we can have “base” modules in whitelist globally Yes, it leads to bad surprises occasionally HEPiX fall

Secrets Problem of secrets has been discussed at previous HEPiX Solutions such as hiera-gpg mean that puppet master must decode secrets to add to manifests Many methods to get data from puppet masters hiera calls, functions, erb files Resources are stored in PuppetDB HEPiX fall

secrets at CERN External datastore using hostgroup and host authorization Types and providers to allow for files and templates to include keys for datastore Host authentication is used to download secrets (x509 or keytab) Anyone who can get root on a machine can update/see secrets HEPiX fall

HEPiX fall Teigi architecture

Continuous Integration We want to enable regular changes of configuration small changes safer than big changes drift and freezing causes other problems Requires rigorous testing and QA to be possible Testing should be frictionless Normal QA flow: change from topic to QA, wait a week without complaints, QA to Prod Automated Pipeline with tests vs forgetful busy humans HEPiX fall

CI Tests Daily tests of base modules run on freshly installed VM Outside “base” tests are run based on change management ticket Functional tests can be defined for each module Jenkins test nodes spawned from openstack, with specific configuration as needed for example: “SSO” app webserver HEPiX fall

CI radiator HEPiX fall

Change Management test

test-shibboleth

Training We initially thought we’d need basic Puppet training …and setup a course with external trainers What people actually prefer is the details for your site Local conventions, local tools and practices We found the rest you can get from books, Puppet documentation, and just from getting on with it HEPiX fall

Local training At CERN we now provide a general training for the new infrastructure Cloud Puppet and Configuration Monitoring 1 day training, approx 1/month presently Documentation contains training material, so people can work on it in their own time HEPiX fall

Current issues Foreman permission model. 1.3 we have patches to reduce hostgroup filter to hostgroups the user is permissioned to 1.5 has regression of this behaviour Foreman is perhaps on critical path for puppet upgrades Reacting to events such as Heartbleed & ShellShock could be improved should be noted that mcollective has been useful PuppetDB performance issues more or less fixed issues separating API use from compilation critical path issues getting postgres replication to keep up HEPiX fall

Postgres slave 1 day behind… HEPiX fall

Community 9 CERN modules now on puppet forge more on github.com/cernops Interest in finding gaps where YAIM currently relied upon Will be sending a survey to discover top modules required to migrate from YAIM HEPiX fall