Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014

1,501 views

Published on

Published in: Technology
  • Be the first to comment

Cloudy with a Chance of Fireballs: Provisioning and Certificate Management in Puppet - PuppetConf 2014

  1. 1. 2014 Presented by Cloudy with a chance of Fireballs Managing Trusted Instances in the Cloud ! ! ! ! eric sorenson eric.sorenson@puppetlabs.com
  2. 2. Presented by What’s the problem? Why you might care End to End Overview Walkthrough w/ AWS Related work
  3. 3. Presented by What's the problem?
  4. 4. Presented by What’s the REAL problem?
  5. 5. Presented by
  6. 6. Presented by Why you might care
  7. 7. Presented by
  8. 8. Presented by
  9. 9. Presented by
  10. 10. Presented by
  11. 11. Presented by +-------------------------------+ +-----------+ | | | | | Amazon EC2 API <--------+provisioner| +---------------------^---------+ +-----------+ | | +-------+ +------+---------+ | | | | | node1 +------> puppetmaster | +-------+ +----------------+ ! ! Follow along at home: https://github.com/ahpook/mrzarquon-certsigner/tree/eric0-wip
  12. 12. Presented by ! +----------------------------+ Prerequisites: |                            |      - Puppetmaster w/IAM credentials |  Amazon EC2 API            | <--+  and autosign policy configured |                            |       | | - AMI with user-data install or +----------------------------+ preloaded agent+ec2-utils, IAM policy permitting query tags !
  13. 13. Presented by { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1411031868000", "Effect": "Allow", "Action": [ "ec2:DescribeTags" ], "Resource": [ "*" ] } ] }
  14. 14. Presented by +----------------------------+ | | | Amazon EC2 API | | | +------^---------------------+ | +------+------+ | | Your provisioning node requests | Provisioner | <-------+ some new instances using that image, | | tagging them w/ role: 'webserver' +-------------+
  15. 15. Presented by [vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107 --region=us-west-2 --instance-tags=role=webserver --type=t1.micro --keyname=certsigner --security-group=webservers Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634), ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8 Info: Connecting to AWS us-west-2 ... Done Info: Instance Type: t1.micro Notice: Creating new instance ... Done Info: Instance identifier: i-abc8f0a6 Notice: Creating tags for instance ... Info: Creating tag for Created-By ... Done Info: Creating tag for role ... Done Notice: Creating tags for instance ... Done Notice: Launching server i-abc8f0a6 ... ##### Notice: Server i-abc8f0a6 is now launched Notice: Server i-abc8f0a6 public dns name: ec2-54-68-132-30.us-west-2.compute.amazonaws.com
  16. 16. Presented by +---------------------------------+ | | | Amazon EC2 + using your image | | | EC2 builds your instances, +----+-----------+-----------+----+ running the user-data script | | | which drops instance-specific | | | metadata into csr_attributes.yaml +---v---+ +---v---+ +---v---+ + | | | | | | | | node1 | | node2 | | node3 | <----------------+ +-------+ +-------+ +-------+
  17. 17. Presented by
  18. 18. Presented by
  19. 19. Presented by +-------------------------------+ | | Each node generates a CSR which | Amazon EC2 API | embeds the metadata as requested +---------------------^---------+ attributes and submits it to the | puppetmaster, which checks the | instance-ID against EC2 to verify +-------+ +------+---------+ it came from a valid instance. | | | | | node1 +------> puppetmaster | +-------+ +----------------+
  20. 20. Presented by +-------------------------------+ | | If the API is OK, the puppetmaster | Amazon EC2 API | signs the CSR, moving the tags, +---------------------+---------+ instance-id and any other metadata in | whitelisted extension requests | inside the signed certificate. The +-------+ +------v---------+ signed cert is retrieved by the node | | | | and normal Puppet runs can begin. | node1 <------+ puppetmaster | +-------+ +----------------+
  21. 21. Presented by openssl x509 -noout -text -in /var/lib/puppet/ssl/ca/signed/i-f3cef5fe.pem [ ... tons of crap trimmed ... ] X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate 1.3.6.1.4.1.34380.1.1.5: webserver 1.3.6.1.4.1.34380.1.1.3: ami-37713107 1.3.6.1.4.1.34380.1.1.2: i-f3cef5fe
  22. 22. Presented by ! +-------+ +----------------+ When the node checks in, the extensions | | | | will be available under the '$trusted' | node1 +----> puppetmaster | top-scope hash for classification, +-------+ +----------------+ manifests, etc. ! # puppet.conf [master] trusted_node_data = true immutable_node_data = true !
  23. 23. Presented by ## site.pp node default { notify { "trusted_data": message => inline_template("<%= scope.lookupvar('trusted').inspect %>") } } ! ## agent output Notice: /Stage[main]/Main/Node[default]/Notify[trusted_data]/message: defined 'message' as ' {"certname"=>"i-f3cef5fe", "authenticated"=>"remote", "extensions"=>{"pp_instance_id"=>"i-f3cef5fe", "pp_image_name"=>"ami-37713107", "1.3.6.1.4.1.34380.1.1.5"=>"webserver"}}'
  24. 24. Presented by Related and future work ! Signing policy for AWS: mrzarquon-certsigner Signing policy for GCE: puppetlabs-gce_compute Signing policy for in-house CMDBs? Puppet Enterprise Node Manager
  25. 25. Presented by
  26. 26. Presented by
  27. 27. Presented by Photo/Link Credits CERN - http://www.slideshare.net/gmccance/cern-data-centre-evolution Google maps screenshot of Apple Data Center - fair use, with attribution inline Imagery (c) 2014 Google NSA HQ, fort meade - "National Security Agency headquarters, Fort Meade, Maryland" by Unknown - http:// www.nsa.gov/about/photo_gallery/gallery.shtml. Licensed under Public domain via Wikimedia Commons - http:// commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg#mediaviewer/ File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg Bitcoin mining rigs from buttcoin.org http://buttcoin.org/mining-rigs-3 “Cloud City at Sunset” http://balsavor.deviantart.com/art/The-Falcon-escapes-Cloud-city-143511722 han and Lando Mario Fireball - from http://www.giantbomb.com/fireball/3055-120/ © Yorkberlin | Dreamstime.com - Sorceress With Fireball Photo

×