policy design for sustainability
Post on 16-Mar-2018
43 Views
Preview:
TRANSCRIPT
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1
Best Practicesfor long-term Rudder usage
in Production
Configuration Management Camp2018
Policy Design for Sustainability
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2
● Policy Design● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3
● Searchability○ Example : Multidimensional names (i.e. everything
“SAP”, every “Config” directive, “name_of_some_os_file”)
○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.)
● Consistance○ Need to define regex & document how to “build a
name” or people will struggle / not bother
Naming things
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4
● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them.
● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3)
● Synchronize data instead of duplicating (datasources plugin)
● Use Global parameters● User Technique parameters (4.3)
Separate “Code” from Data
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5
Technique parameters
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6
● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.)
● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.)
● Use “In Group” criteria to avoid duplicating criterias (4.3)● Use lifecycle state (4.3) for node state regarding Rudder
Classifying Nodes
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8
● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles)
Designing Rules
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9
● State vs. Script● Only use repaired conditions to trigger actions when
strictly necessary, use checks methods or idempotent scripts when possible. Repaired condition will only be defined during one run and might never be
defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance.
● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error
● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint!
Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10
● Limit Complexity● Maintain strict independence between different
techniques (conditions, variables, etc.)● Only 1st level dependencies, if >3 dependency on
something, raise a well-named condition for it (might incur one more agent run)
● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc)
Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11
● Limit Complexity● Do not have > ~10 methods in a technique, it becomes
unmaintainable● Use iterators - it creates bad reports but at some point
we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit
Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12
● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here)
● Comment distributed files● Prefer templating/copy over editions: easier to
maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state.
● File content technique useful for complex cases. Use sections to limit complexity
Managing File Content
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13
● file copy with check (next minor), more generally use linters/check commands
● Safety checks on variables content for important policies, sane defaults when possible.
● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before)
● Use runtime conditions to unlock dangerous parts of policy with:rudder agent run -D allow_cryptfs_setup
Safety Checks
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14
● Policy Design● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15
● Dedicated testing environments, and testing nodes in prod environments○ Need one testing node one per relay, allows for end to
end tests PLUS continuous regression testing○ QA env size recommendation 5%-15%, Test env size 1%
Testing
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16
● Use the audit log messages (tail -f during change, elasticsearch / splunk them)
● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process
● Add documentation in description fields, links to external resources
● Your Rudder config is to your infra what a VCS repository is to your code
Traceability and Auditability
Normation – 87 rue de Turbigo, 75003 PARIS, Francecontact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17
Questions?
top related