2. Passwords Passwords are unpleasant Hard to remember Remember a couple
Single points of failure
Algorithmic passwords are also flawed
Use 'pwgen' to make decent passwords
Still hard to remember

3. Storing passwords in a vault
Why not put your passwords in a file
Password protect the file
Single point of failure has shifted to a private file
Still not ideal, but certainly safer than 1 password to each thing
Plenty of password managers out there:
1Password, KeePass, LastPass, pass

4. pass password manager
Uses GPG keypair for encryption/decryption of passwords
Stores each password in a separate file
All files kept in a GIT repo
Allows push/pulling to/from machines you control
Do not put them on GitHub/BitBucket/etc.
Lots of platforms supported

5. Making GPG keys – Quick redux
Check LPI-102 Topic 110
gpg --gen-key [Generate a key interactively]
gpg --output revoke.asc --gen-revoke mykey
[Generate revocation cert. Critical for identity keys!]
gpg --export-secret-key -a “MyUser” -o priv.key
Export secret key, needed on every device to decrypt passwords
gpg --export-public-key -a “MyUser” -o pub.key
Export public key, needed on every device to encrypt passwords

6. Setting up pass pass init foo@bar.com Uses GPG key for foo@bar.com
pass git init
pass git remote add origin myVPS.com:somefolder
pass git push -u all
pass generate Logins/Netsoc 32
Makes a 32-char long password in the file Logins/Netsoc
pass git push

7. Cool things
Each folder (e.g. Logins/Netsoc) can have its own GPG key to en/decrypt
$folder/.gpg-id contains the GPG secret key ID
The path is, by default, ~/.password-store
Use gpg-agent to stop having to enter password repeatedly
eval “$(gpg-agent –daemon)”
Has clipboard feature; stores password for 45 seconds
pass -c Logins/Netsoc

8. Managing lots of machines
Very relevant to the ~~~cloud~~~
Two types of methods:
Configuration management
Remote shells
Lots of different configuration management software:
Salt, Ansible, Puppet, Chef, CFEngine, Bcfg2, Spacewalk, etc.
Many different approaches too:
Enforcing/Passive
Agent/Agentless
Symmetric/Asymmetric communication layer
Config storage: JSON/XML/LDAP/????

9. Remote shells Quick way to execute commands on many servers Fast hack:
tmux with 'setw synchronize-panes'
Better way:
pdsh
fab
Also a deployment system

10. Monitoring machines Lots of machines => lots of possible failures
Need monitoring and alerting systems
Very detailed monitoring can be done with collectd
Can output to syslog, files, CSV, etc.
Syslog can be directed to a syslog server (or something like logstash)
Round-robin remote monitoring done with cacti/munin
Munin is very simple, uses telnet(!) to gather data

12. Monitoring machines A few options Nagios Zabbix
Icinga (holy war with nagios)
Nagios uses s/pagers to alert people to problems
Problems are when some script nagios fires fails
Three states:
Normal (or recovered)
Warning
Critical

14. Nagios Two ways of monitoring:
Get central node to check remote with commands over SSH
Generally called “Push monitoring”
Ask remote nodes for information using NRPE
Generally called “Pull monitoring”
NRPE – Nagios Remote Plugin Execution
Scripts for testing system exist on client, and are fired when client receives instruction from master
Can get mixture of both (if you want to make people sad)

15. Asset management Managing equipment is messy Lots of bureaucracy
Use ralph (
Geared towards physical datacentres
Less appropriate for cloud stuff

16. Backups Critical Drives die, and you can be stuck without anything
Lots of software for backups
Acronis, Bacula, Amanda, rsync(!)
Netsoc uses bacula
4 components:
Director: Tells things to backup
Storage-daemon: Place where backups are put
File-daemon: Places where backups come from
Console: Lets you check things