Rudder has recently gained a lot a new features allowing more flexible configuration, including data management with properties, and dict data types, templating capabilities, plugins to integrate external data, and this will continue in 2018 with parameters for techniques, new group criterias, etc. We also added support for another agent implementation. We will see how to take advantage of these new abilities, both for improving an existing configuration or for setting up a new project, covering:
Node classification
- Data management
- Configuration rules design and management
- Best practices for safety
Unraveling Multimodality with Large Language Models.pdf
Policy design for sustainability
1. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1
Best Practices
for long-term Rudder usage
in Production
Configuration Management Camp
2018
Policy Design for
Sustainability
2. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2
● Policy Design
● Rudder Usage
3. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3
● Searchability
○ Example : Multidimensional names (i.e. everything
“SAP”, every “Config” directive,
“name_of_some_os_file”)
○ Can now also use tags for this kind of information,
specially using key-value tags (“Application” :
“HAProxy”, “Type” : “Config”, “Team” : “X”, etc.)
● Consistance
○ Need to define regex & document how to “build a
name” or people will struggle / not bother
Naming things
4. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4
● Security: do not allow any infra data or secrets anywhere
in techniques. Use variables or properties to inject them.
● Node properties with sane defaults, use JS engine to avoid
duplication:
“${rudder.node.hostname}”.substring(0,3)
● Synchronize data instead of duplicating (datasources
plugin)
● Use Global parameters
● User Technique parameters (4.3)
Separate “Code” from Data
5. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5
Technique parameters
6. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6
● Make technical groups from inventory (“Debian 9.2”,
“Physical Node”, etc.)
● Make business groups from inventory or properties
(“Production”, “Load Balancer”, etc.)
● Use “In Group” criteria to avoid duplicating criterias (4.3)
● Use lifecycle state (4.3) for node state regarding Rudder
Classifying Nodes
7. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
8. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8
● Optimize your directives so that they can be attached to N
rules as needed (opt-in, i.e. for things like X11 libs or
compiler bundles)
Designing Rules
9. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9
● State vs. Script
● Only use repaired conditions to trigger actions when
strictly necessary, use checks methods or idempotent
scripts when possible.Repaired condition will only be defined during one run and might never be
defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be
visible in the displayed compliance.
● Wrap unix commands etc. into wrapper scripts that DO
THEIR JOB aka fully abstract the application commands to
know if they are kept, changed or in error
● Sort by method, not by flow (all files, all permissions, all
executions). You’re not scripting, you’re drawing a
blueprint!
Technique Editor
10. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10
● Limit Complexity
● Maintain strict independence between different
techniques (conditions, variables, etc.)
● Only 1st level dependencies, if >3 dependency on
something, raise a well-named condition for it (might
incur one more agent run)
● Break apart package install, configuration (and sometimes
even split out daemon management) and communications
(server registration etc)
Technique Editor
11. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11
● Limit Complexity
● Do not have > ~10 methods in a technique, it becomes
unmaintainable
● Use iterators - it creates bad reports but at some point
we’ll get you to fix that. Package policies without iterators
are unmaintainable, and other things benefit
Technique Editor
12. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12
● Have very precise headers for managed files (file is
managed in whole by Rudder rule X directive Y, do not edit
here)
● Comment distributed files
● Prefer templating/copy over editions: easier to
maintain, avoids partial application and undefined
variables, state definition is absolute, and not relative to
previous state.
● File content technique useful for complex cases. Use
sections to limit complexity
Managing File Content
13. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13
● file copy with check (next minor), more generally use
linters/check commands
● Safety checks on variables content for important policies,
sane defaults when possible.
● Use audit mode to assess current state on nodes (for
existing nodes or items that were not Rudder-controlled
before)
● Use runtime conditions to unlock dangerous parts of
policy with:
rudder agent run -D allow_cryptfs_setup
Safety Checks
14. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14
● Policy Design
● Rudder Usage
15. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15
● Dedicated testing environments, and testing nodes in
prod environments
○ Need one testing node one per relay, allows for end to
end tests PLUS continuous regression testing
○ QA env size recommendation 5%-15%, Test env size 1%
Testing
16. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16
● Use the audit log messages (tail -f during change,
elasticsearch / splunk them)
● Maintain distributed files and templates in a VCS
repository (that can be the configuration-repository) with
proper log/review process
● Add documentation in description fields, links to external
resources
● Your Rudder config is to your infra what a VCS repository
is to your code
Traceability and Auditability
17. Normation – 87 rue de Turbigo, 75003 PARIS, France
contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17
Questions?