SlideShare una empresa de Scribd logo

Policy design for sustainability

RUDDER
RUDDER

Rudder has recently gained a lot a new features allowing more flexible configuration, including data management with properties, and dict data types, templating capabilities, plugins to integrate external data, and this will continue in 2018 with parameters for techniques, new group criterias, etc. We also added support for another agent implementation. We will see how to take advantage of these new abilities, both for improving an existing configuration or for setting up a new project, covering: Node classification - Data management - Configuration rules design and management - Best practices for safety

Tecnología
1 de 17
Descargar para leer sin conexión
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1 Best Practices for long-term Rudder usage in Production Configuration Management Camp 2018 Policy Design for Sustainability
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2 ● Policy Design ● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3 ● Searchability ○ Example : Multidimensional names (i.e. everything “SAP”, every “Config” directive, “name_of_some_os_file”) ○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.) ● Consistance ○ Need to define regex & document how to “build a name” or people will struggle / not bother Naming things
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4 ● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them. ● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3) ● Synchronize data instead of duplicating (datasources plugin) ● Use Global parameters ● User Technique parameters (4.3) Separate “Code” from Data
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5 Technique parameters
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6 ● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.) ● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.) ● Use “In Group” criteria to avoid duplicating criterias (4.3) ● Use lifecycle state (4.3) for node state regarding Rudder Classifying Nodes
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8 ● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles) Designing Rules
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9 ● State vs. Script ● Only use repaired conditions to trigger actions when strictly necessary, use checks methods or idempotent scripts when possible.Repaired condition will only be defined during one run and might never be defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance. ● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error ● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint! Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10 ● Limit Complexity ● Maintain strict independence between different techniques (conditions, variables, etc.) ● Only 1st level dependencies, if >3 dependency on something, raise a well-named condition for it (might incur one more agent run) ● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc) Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11 ● Limit Complexity ● Do not have > ~10 methods in a technique, it becomes unmaintainable ● Use iterators - it creates bad reports but at some point we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12 ● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here) ● Comment distributed files ● Prefer templating/copy over editions: easier to maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state. ● File content technique useful for complex cases. Use sections to limit complexity Managing File Content
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13 ● file copy with check (next minor), more generally use linters/check commands ● Safety checks on variables content for important policies, sane defaults when possible. ● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before) ● Use runtime conditions to unlock dangerous parts of policy with: rudder agent run -D allow_cryptfs_setup Safety Checks
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14 ● Policy Design ● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15 ● Dedicated testing environments, and testing nodes in prod environments ○ Need one testing node one per relay, allows for end to end tests PLUS continuous regression testing ○ QA env size recommendation 5%-15%, Test env size 1% Testing
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16 ● Use the audit log messages (tail -f during change, elasticsearch / splunk them) ● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process ● Add documentation in description fields, links to external resources ● Your Rudder config is to your infra what a VCS repository is to your code Traceability and Auditability
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17 Questions?

Recomendados

What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 
What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 

Recomendados

What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 
What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 
What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016RUDDER
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Más contenido relacionado

Más de RUDDER

What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016RUDDER
 

Más de RUDDER (20)

What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libres
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50k
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in Rudder
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into Rudder
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughts
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016
 

Último

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Último (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Policy design for sustainability

  • 1. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1 Best Practices for long-term Rudder usage in Production Configuration Management Camp 2018 Policy Design for Sustainability
  • 2. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2 ● Policy Design ● Rudder Usage
  • 3. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3 ● Searchability ○ Example : Multidimensional names (i.e. everything “SAP”, every “Config” directive, “name_of_some_os_file”) ○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.) ● Consistance ○ Need to define regex & document how to “build a name” or people will struggle / not bother Naming things
  • 4. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4 ● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them. ● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3) ● Synchronize data instead of duplicating (datasources plugin) ● Use Global parameters ● User Technique parameters (4.3) Separate “Code” from Data
  • 5. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5 Technique parameters
  • 6. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6 ● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.) ● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.) ● Use “In Group” criteria to avoid duplicating criterias (4.3) ● Use lifecycle state (4.3) for node state regarding Rudder Classifying Nodes
  • 7. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
  • 8. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8 ● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles) Designing Rules
  • 9. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9 ● State vs. Script ● Only use repaired conditions to trigger actions when strictly necessary, use checks methods or idempotent scripts when possible.Repaired condition will only be defined during one run and might never be defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance. ● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error ● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint! Technique Editor
  • 10. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10 ● Limit Complexity ● Maintain strict independence between different techniques (conditions, variables, etc.) ● Only 1st level dependencies, if >3 dependency on something, raise a well-named condition for it (might incur one more agent run) ● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc) Technique Editor
  • 11. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11 ● Limit Complexity ● Do not have > ~10 methods in a technique, it becomes unmaintainable ● Use iterators - it creates bad reports but at some point we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit Technique Editor
  • 12. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12 ● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here) ● Comment distributed files ● Prefer templating/copy over editions: easier to maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state. ● File content technique useful for complex cases. Use sections to limit complexity Managing File Content
  • 13. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13 ● file copy with check (next minor), more generally use linters/check commands ● Safety checks on variables content for important policies, sane defaults when possible. ● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before) ● Use runtime conditions to unlock dangerous parts of policy with: rudder agent run -D allow_cryptfs_setup Safety Checks
  • 14. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14 ● Policy Design ● Rudder Usage
  • 15. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15 ● Dedicated testing environments, and testing nodes in prod environments ○ Need one testing node one per relay, allows for end to end tests PLUS continuous regression testing ○ QA env size recommendation 5%-15%, Test env size 1% Testing
  • 16. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16 ● Use the audit log messages (tail -f during change, elasticsearch / splunk them) ● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process ● Add documentation in description fields, links to external resources ● Your Rudder config is to your infra what a VCS repository is to your code Traceability and Auditability
  • 17. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17 Questions?