SlideShare una empresa de Scribd logo

Discovering OpenBSD on AWS

Laurent Bernaille
Laurent Bernaille

The story behind the OpenBSD AMI, and how it integrates with AWS, and a demo of dynamic VPN built using Consul (all running OpenBSD)

Tecnología
1 de 24
Descargar para leer sin conexión
OpenBSD and AWS September 23rd 2017EuroBSDcon
@eurobsdcon Who am I? 2 Laurent Bernaille @d2si • Linux background, getting to know OpenBSD • Cloud enthusiast • Love discovering, building (and breaking…) new things @lbernail
@eurobsdcon What is this presentation/demo about? OpenBSD and AWS • The first OpenBSD image and the ongoing work • The integration in the AWS ecosystem OpenBSD and microservices • How we can leverage OpenBSD for cloud applications • Examples and demo OpenBSD and me • A recent but interesting journey
@eurobsdcon OpenBSD on AWS First image by @ajacoutot (December 2015, in 5.9) • Not straightforward due to Xen support (network, disk in particular) • Intro: http://blog.d2-si.fr/2016/02/15/openbsd-on-aws/ • Details: https://github.com/ajacoutot/aws-openbsd • More details: http://www.openbsd.org/papers/bsdcan2016-xen.pdf => The image worked, but without EBS (disk) support at first => Xen support was not perfect An AWS hypervisor update broke the AMI (late 2016) Fixed in 6.1, thanks to Mike Belopuhov and @esdenera Many improvements in 6.2 (performances)
@eurobsdcon Let's have a look
@eurobsdcon Where does my public key come from? AWS exposes a metadata web server at http://169.254.169.254
@eurobsdcon OK but how did it get into authorized_keys? Linux distributions rely on cloud-init • http://cloudinit.readthedocs.io/ • Origin in ubuntu cloud • Cloud-init does a lot of things and is very Linux specific Enters ec2-init by @ajacoutot • Minimal cloud-init implementation • https://github.com/ajacoutot/aws-openbsd When is it run? • By netstart (very early in the boot process)
@eurobsdcon A quick look at ec2-init mock_pf open if [[ $(mock meta-data/instance-id) != $(cat /var/db/ec2-init 2>/dev/null) ]]; then ec2_instanceid ec2_pubkey ec2_hostname ec2_userdata ec2_fingerprints sysclean fi mock_pf close open pf to allow access to metadata server check if already configured write instance id to db file to set instance as "configured" write public key in authorized_keys file set hostname from AWS metadata execute userdata (more on that later) write rc.firsttime script to display ssh fingerprints after boot clean up instance (remove old ssh keys, logs, dhcp data)
@eurobsdcon What about this ec2-user? Standard behavior on AWS • No connection as root • ec2-user is used for Amazon Linux, Redhat, Fedora, Centos, FreeBSD • Debian uses "admin" and ubuntu, "ubuntu" ec2-user has unlimited doas with "nopass" $ cat /etc/doas.conf permit nopass ec2-user
@eurobsdcon Let's use this instance Install terraform $ pkg_info -Q terraform terraform-0.9.2 $ doas pkg_add terraform Terraform? • Describe infrastructure components and build them • « puppet » for infrastructure • Alternatives: cloudformation / heat OK let's set up something with it $ doas pkg_add git $ git clone git@github.com:lbernail/eurobsdcon2017.git $ terraform init $ terraform plan $ terraform apply
@eurobsdcon Under the hood Bastion eu-west-1a Public subnets Private subnets eu-west-1b Public subnets Private subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" } resource "aws_subnet" "public" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" tags { Name = "Main" } } resource "aws_instance" "bastion" { ami = "${var.bastion_ami}" instance_type = "t2.micro” subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.bastion.id}" ] tags { Name = "bastion" } }
@eurobsdcon 12 Bastion Public subnets NAT GW Public subnets Public subnets What did we just build? Private subnets Private subnetsPrivate subnets
@eurobsdcon 13 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS Let’s create a consul cluster 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent
@eurobsdcon A quick intro to consul From Hashicorp (authors of vagrant, packer, terraform, vault) Used for microservices • Service discovery • Key-value store for configuration Resilient • Distributed system • Built on RAFT
@eurobsdcon Let's look at it $ ssh 10.0.128.100 $ consul members
@eurobsdcon OK but how did it all get configured? Userdata: script to bootstrap AWS instances (executed by ec2-init) $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh pkg_add consul cat > /etc/consul.d/config.json <<EOF { "bootstrap_expect": 3, "server": true, "node_name": "consul0", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF rcctl enable consul cat >> /etc/rc.firsttime <<EOF rcctl start consul EOF install consul this node is a server called consul0 it will wait for 2 other servers to bootstrap cluster rely on AWS API to discover members - instances have a "tag" - instances have a role granting them access to AWS APIs "enable" writes to /etc/rc.conf.local but rc parses rc.conf.local very early so consul won't start => we use rc.firsttime
@eurobsdcon What can we do with this? Dynamic VPN configuration with consul-template • A companion tool to Consul • Watches for key changes in Consul • Generates a file from a template • Optionally executes a command when the file changes Let's build a VPN gateway $ cd ../vpn $ terraform init $ terraform apply
@eurobsdcon 18 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS New architecture 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10
@eurobsdcon What is this VPN server? 1/2 $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh rcctl enable ipsec rcctl enable isakmpd rcctl set isakmpd flags -K install -m 0600 /dev/null /etc/ipsec.conf pkg_add consul cat > /etc/consul.d/config.json <<EOF { "server": false, "node_name": "vpn", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF enable ipsec install consul configure it as a client
@eurobsdcon What is this VPN server? 2/2 pkg_add consul-template cat > /etc/consul-template.d/default.conf << EOF consul { address = "127.0.0.1:8500" } template { source = "/etc/consul-template.d/ipsec.ctmpl" destination = "/etc/ipsec.conf" perms = 0600 command = "ipsecctl -f /etc/ipsec.conf || echo Invalid ipsec configuration" } EOF # Template cat > /etc/consul-template.d/ipsec.ctmpl << 'EOF' {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} srcid 34.252.210.92 psk "{{ .psk }}" {{ end -}} {{ end }} EOF install consul-template use local consul Template configuration - template file - target - command to execute on change template file to generate ipsec.conf
@eurobsdcon The template file {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} psk "{{ .psk }}" srcid 34.252.210.92 {{ end -}} {{ end }} get all keys under "vpn" iterate over them transform items in maps if we have values for all necessary keys generate ipsec configuration configuration keys local public IP (injected by terraform) vpn/ /us/ /cidrblock = 172.30.0.0/16 /endpoint = 32.32.32.32 /psk = demo ike esp from 10.0.0.0/16 to 172.30.0.0/16 peer 32.32.32.32 psk "demo" srcid 34.252.210.92
@eurobsdcon Let's look at this $ consul members $ rcctl check consul consul_template $ cat /etc/consul-template.d/ipsec.ctmpl $ doas cat /etc/ipsec.conf $ doas ipsecctl -s all
@eurobsdcon Building our VPN Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10 Ireland, 10.0.0.0/16 Virginia, 172.30.0.0/16 EIP: 34.252.210.92 Demo 172.30.x.y allow ICMP from 10.0.0.0/16
@eurobsdcon Conclusion and perspectives What could be improved in this example • Security of consul: SSL / ACL My (limited) usage of OpenBSD on AWS • VPN Gateways • DNS proxies • And now consul • Many potential other use-cases Look at / Fork the code of this demo on github https://github.com/lbernail/eurobsdcon2017 Questions ? @lbernail

Recomendados

Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersAmazon Web Services
 
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018Amazon Web Services
 
Giving MongoDB a Way to Play with the GIS Community
Giving MongoDB a Way to Play with the GIS CommunityGiving MongoDB a Way to Play with the GIS Community
Giving MongoDB a Way to Play with the GIS CommunityMongoDB
 
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech Talks
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech TalksDeep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech Talks
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech TalksAmazon Web Services
 
Build a Serverless Application using GraphQL & AWS AppSync
Build a Serverless Application using GraphQL & AWS AppSyncBuild a Serverless Application using GraphQL & AWS AppSync
Build a Serverless Application using GraphQL & AWS AppSyncAmazon Web Services
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSAmazon Web Services
 
AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code ServicesAmazon Web Services
 
Amazon EMR Masterclass
Amazon EMR MasterclassAmazon EMR Masterclass
Amazon EMR MasterclassAmazon Web Services
 

Recomendados

Scaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersScaling on AWS for the First 10 Million Users
Scaling on AWS for the First 10 Million UsersAmazon Web Services
 
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018
Detect Anomalies Using Amazon SageMaker (AIM420) - AWS re:Invent 2018Amazon Web Services
 
Giving MongoDB a Way to Play with the GIS Community
Giving MongoDB a Way to Play with the GIS CommunityGiving MongoDB a Way to Play with the GIS Community
Giving MongoDB a Way to Play with the GIS CommunityMongoDB
 
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech Talks
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech TalksDeep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech Talks
Deep Dive on the AWS Storage Gateway - April 2017 AWS Online Tech TalksAmazon Web Services
 
Build a Serverless Application using GraphQL & AWS AppSync
Build a Serverless Application using GraphQL & AWS AppSyncBuild a Serverless Application using GraphQL & AWS AppSync
Build a Serverless Application using GraphQL & AWS AppSyncAmazon Web Services
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSAmazon Web Services
 
AWS Code Services
AWS Code ServicesAWS Code Services
AWS Code ServicesAmazon Web Services
 
Amazon EMR Masterclass
Amazon EMR MasterclassAmazon EMR Masterclass
Amazon EMR MasterclassAmazon Web Services
 
AWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMRAWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMRAmazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfAmazon Web Services
 
GraalVM
GraalVMGraalVM
GraalVMNexThoughts Technologies
 
Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실Taewan Kim
 
Let's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScriptLet's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScriptMathieu Savy
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introductionleo lapworth
 
Getting Started with AWS Database Migration Service
Getting Started with AWS Database Migration ServiceGetting Started with AWS Database Migration Service
Getting Started with AWS Database Migration ServiceAmazon Web Services
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Amazon Web Services
 
C# conventions & good practices
C# conventions & good practicesC# conventions & good practices
C# conventions & good practicesTan Tran
 
Cloudformation101
Cloudformation101Cloudformation101
Cloudformation101Dave Pigliavento
 
Broadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Commerce
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Using Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML ModelsUsing Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML ModelsAmazon Web Services
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageVishal Uderani
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker, Inc.
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725miguel dominguez
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725MortazaJohari
 

Más contenido relacionado

La actualidad más candente

AWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMRAWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMRAmazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfAmazon Web Services
 
Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실Taewan Kim
 
Let's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScriptLet's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScriptMathieu Savy
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introductionleo lapworth
 
Getting Started with AWS Database Migration Service
Getting Started with AWS Database Migration ServiceGetting Started with AWS Database Migration Service
Getting Started with AWS Database Migration ServiceAmazon Web Services
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Amazon Web Services
 
C# conventions & good practices
C# conventions & good practicesC# conventions & good practices
C# conventions & good practicesTan Tran
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
Using Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML ModelsUsing Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML ModelsAmazon Web Services
 

La actualidad más candente (14)

AWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMRAWS May Webinar Series - Getting Started with Amazon EMR
AWS May Webinar Series - Getting Started with Amazon EMR
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
GraalVM
GraalVMGraalVM
GraalVM
 
Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실Cloud Native Java GraalVM 이상과 현실
Cloud Native Java GraalVM 이상과 현실
 
Let's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScriptLet's discover React and Redux with TypeScript
Let's discover React and Redux with TypeScript
 
AWS CDK introduction
AWS CDK introductionAWS CDK introduction
AWS CDK introduction
 
Getting Started with AWS Database Migration Service
Getting Started with AWS Database Migration ServiceGetting Started with AWS Database Migration Service
Getting Started with AWS Database Migration Service
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
 
C# conventions & good practices
C# conventions & good practicesC# conventions & good practices
C# conventions & good practices
 
Cloudformation101
Cloudformation101Cloudformation101
Cloudformation101
 
Broadleaf Presents Thymeleaf
Broadleaf Presents ThymeleafBroadleaf Presents Thymeleaf
Broadleaf Presents Thymeleaf
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
Using Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML ModelsUsing Amazon SageMaker to build, train, & deploy your ML Models
Using Amazon SageMaker to build, train, & deploy your ML Models
 

Similar a Discovering OpenBSD on AWS

Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageVishal Uderani
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker, Inc.
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725miguel dominguez
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725MortazaJohari
 
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudOpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudNetcetera
 
ContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperDocker-Hanoi
 
AWS 기반 Docker, Kubernetes
AWS 기반 Docker, KubernetesAWS 기반 Docker, Kubernetes
AWS 기반 Docker, Kubernetes정빈 권
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Ufo Ship for AWS ECS
Ufo Ship for AWS ECSUfo Ship for AWS ECS
Ufo Ship for AWS ECSTung Nguyen
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)HungWei Chiu
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceBen Hall
 

Similar a Discovering OpenBSD on AWS (20)

Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to production
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngage
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The Things
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudOpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
 
Sheep it
Sheep itSheep it
Sheep it
 
ContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS Developer
 
AWS 기반 Docker, Kubernetes
AWS 기반 Docker, KubernetesAWS 기반 Docker, Kubernetes
AWS 기반 Docker, Kubernetes
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Ufo Ship for AWS ECS
Ufo Ship for AWS ECSUfo Ship for AWS ECS
Ufo Ship for AWS ECS
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container Service
 

Más de Laurent Bernaille

How the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceHow the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceLaurent Bernaille
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesLaurent Bernaille
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Laurent Bernaille
 
Making the most out of kubernetes audit logs
Making the most out of kubernetes audit logsMaking the most out of kubernetes audit logs
Making the most out of kubernetes audit logsLaurent Bernaille
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Laurent Bernaille
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!Laurent Bernaille
 
Optimizing kubernetes networking
Optimizing kubernetes networkingOptimizing kubernetes networking
Optimizing kubernetes networkingLaurent Bernaille
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayLaurent Bernaille
 
Deep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksDeep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksLaurent Bernaille
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksLaurent Bernaille
 
Operational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesOperational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesLaurent Bernaille
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksLaurent Bernaille
 
Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Laurent Bernaille
 
Early recognition of encryted applications
Early recognition of encryted applicationsEarly recognition of encryted applications
Early recognition of encryted applicationsLaurent Bernaille
 
Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Laurent Bernaille
 

Más de Laurent Bernaille (17)

How the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceHow the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My Namespace
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror Stories
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)
 
Making the most out of kubernetes audit logs
Making the most out of kubernetes audit logsMaking the most out of kubernetes audit logs
Making the most out of kubernetes audit logs
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
 
Optimizing kubernetes networking
Optimizing kubernetes networkingOptimizing kubernetes networking
Optimizing kubernetes networking
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard way
 
Deep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksDeep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay Networks
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
 
Operational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesOperational challenges behind Serverless architectures
Operational challenges behind Serverless architectures
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay Networks
 
Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016
 
Early recognition of encryted applications
Early recognition of encryted applicationsEarly recognition of encryted applications
Early recognition of encryted applications
 
Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Early application identification. CONEXT 2006
Early application identification. CONEXT 2006
 

Último

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 

Último (20)

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 

Discovering OpenBSD on AWS

  • 1. OpenBSD and AWS September 23rd 2017EuroBSDcon
  • 2. @eurobsdcon Who am I? 2 Laurent Bernaille @d2si • Linux background, getting to know OpenBSD • Cloud enthusiast • Love discovering, building (and breaking…) new things @lbernail
  • 3. @eurobsdcon What is this presentation/demo about? OpenBSD and AWS • The first OpenBSD image and the ongoing work • The integration in the AWS ecosystem OpenBSD and microservices • How we can leverage OpenBSD for cloud applications • Examples and demo OpenBSD and me • A recent but interesting journey
  • 4. @eurobsdcon OpenBSD on AWS First image by @ajacoutot (December 2015, in 5.9) • Not straightforward due to Xen support (network, disk in particular) • Intro: http://blog.d2-si.fr/2016/02/15/openbsd-on-aws/ • Details: https://github.com/ajacoutot/aws-openbsd • More details: http://www.openbsd.org/papers/bsdcan2016-xen.pdf => The image worked, but without EBS (disk) support at first => Xen support was not perfect An AWS hypervisor update broke the AMI (late 2016) Fixed in 6.1, thanks to Mike Belopuhov and @esdenera Many improvements in 6.2 (performances)
  • 6. @eurobsdcon Where does my public key come from? AWS exposes a metadata web server at http://169.254.169.254
  • 7. @eurobsdcon OK but how did it get into authorized_keys? Linux distributions rely on cloud-init • http://cloudinit.readthedocs.io/ • Origin in ubuntu cloud • Cloud-init does a lot of things and is very Linux specific Enters ec2-init by @ajacoutot • Minimal cloud-init implementation • https://github.com/ajacoutot/aws-openbsd When is it run? • By netstart (very early in the boot process)
  • 8. @eurobsdcon A quick look at ec2-init mock_pf open if [[ $(mock meta-data/instance-id) != $(cat /var/db/ec2-init 2>/dev/null) ]]; then ec2_instanceid ec2_pubkey ec2_hostname ec2_userdata ec2_fingerprints sysclean fi mock_pf close open pf to allow access to metadata server check if already configured write instance id to db file to set instance as "configured" write public key in authorized_keys file set hostname from AWS metadata execute userdata (more on that later) write rc.firsttime script to display ssh fingerprints after boot clean up instance (remove old ssh keys, logs, dhcp data)
  • 9. @eurobsdcon What about this ec2-user? Standard behavior on AWS • No connection as root • ec2-user is used for Amazon Linux, Redhat, Fedora, Centos, FreeBSD • Debian uses "admin" and ubuntu, "ubuntu" ec2-user has unlimited doas with "nopass" $ cat /etc/doas.conf permit nopass ec2-user
  • 10. @eurobsdcon Let's use this instance Install terraform $ pkg_info -Q terraform terraform-0.9.2 $ doas pkg_add terraform Terraform? • Describe infrastructure components and build them • « puppet » for infrastructure • Alternatives: cloudformation / heat OK let's set up something with it $ doas pkg_add git $ git clone git@github.com:lbernail/eurobsdcon2017.git $ terraform init $ terraform plan $ terraform apply
  • 11. @eurobsdcon Under the hood Bastion eu-west-1a Public subnets Private subnets eu-west-1b Public subnets Private subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" } resource "aws_subnet" "public" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" tags { Name = "Main" } } resource "aws_instance" "bastion" { ami = "${var.bastion_ami}" instance_type = "t2.micro” subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.bastion.id}" ] tags { Name = "bastion" } }
  • 12. @eurobsdcon 12 Bastion Public subnets NAT GW Public subnets Public subnets What did we just build? Private subnets Private subnetsPrivate subnets
  • 13. @eurobsdcon 13 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS Let’s create a consul cluster 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent
  • 14. @eurobsdcon A quick intro to consul From Hashicorp (authors of vagrant, packer, terraform, vault) Used for microservices • Service discovery • Key-value store for configuration Resilient • Distributed system • Built on RAFT
  • 15. @eurobsdcon Let's look at it $ ssh 10.0.128.100 $ consul members
  • 16. @eurobsdcon OK but how did it all get configured? Userdata: script to bootstrap AWS instances (executed by ec2-init) $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh pkg_add consul cat > /etc/consul.d/config.json <<EOF { "bootstrap_expect": 3, "server": true, "node_name": "consul0", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF rcctl enable consul cat >> /etc/rc.firsttime <<EOF rcctl start consul EOF install consul this node is a server called consul0 it will wait for 2 other servers to bootstrap cluster rely on AWS API to discover members - instances have a "tag" - instances have a role granting them access to AWS APIs "enable" writes to /etc/rc.conf.local but rc parses rc.conf.local very early so consul won't start => we use rc.firsttime
  • 17. @eurobsdcon What can we do with this? Dynamic VPN configuration with consul-template • A companion tool to Consul • Watches for key changes in Consul • Generates a file from a template • Optionally executes a command when the file changes Let's build a VPN gateway $ cd ../vpn $ terraform init $ terraform apply
  • 18. @eurobsdcon 18 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS New architecture 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10
  • 19. @eurobsdcon What is this VPN server? 1/2 $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh rcctl enable ipsec rcctl enable isakmpd rcctl set isakmpd flags -K install -m 0600 /dev/null /etc/ipsec.conf pkg_add consul cat > /etc/consul.d/config.json <<EOF { "server": false, "node_name": "vpn", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF enable ipsec install consul configure it as a client
  • 20. @eurobsdcon What is this VPN server? 2/2 pkg_add consul-template cat > /etc/consul-template.d/default.conf << EOF consul { address = "127.0.0.1:8500" } template { source = "/etc/consul-template.d/ipsec.ctmpl" destination = "/etc/ipsec.conf" perms = 0600 command = "ipsecctl -f /etc/ipsec.conf || echo Invalid ipsec configuration" } EOF # Template cat > /etc/consul-template.d/ipsec.ctmpl << 'EOF' {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} srcid 34.252.210.92 psk "{{ .psk }}" {{ end -}} {{ end }} EOF install consul-template use local consul Template configuration - template file - target - command to execute on change template file to generate ipsec.conf
  • 21. @eurobsdcon The template file {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} psk "{{ .psk }}" srcid 34.252.210.92 {{ end -}} {{ end }} get all keys under "vpn" iterate over them transform items in maps if we have values for all necessary keys generate ipsec configuration configuration keys local public IP (injected by terraform) vpn/ /us/ /cidrblock = 172.30.0.0/16 /endpoint = 32.32.32.32 /psk = demo ike esp from 10.0.0.0/16 to 172.30.0.0/16 peer 32.32.32.32 psk "demo" srcid 34.252.210.92
  • 22. @eurobsdcon Let's look at this $ consul members $ rcctl check consul consul_template $ cat /etc/consul-template.d/ipsec.ctmpl $ doas cat /etc/ipsec.conf $ doas ipsecctl -s all
  • 23. @eurobsdcon Building our VPN Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10 Ireland, 10.0.0.0/16 Virginia, 172.30.0.0/16 EIP: 34.252.210.92 Demo 172.30.x.y allow ICMP from 10.0.0.0/16
  • 24. @eurobsdcon Conclusion and perspectives What could be improved in this example • Security of consul: SSL / ACL My (limited) usage of OpenBSD on AWS • VPN Gateways • DNS proxies • And now consul • Many potential other use-cases Look at / Fork the code of this demo on github https://github.com/lbernail/eurobsdcon2017 Questions ? @lbernail