London, Dec 2013

Groovy for System Administrators
Dan Woods
Groovy for System Administrators

About Me
@danveloper

/danveloper

#editor
danielpwoods@gmail.com
Groovy for System Administrators

About Me
Groovy for System Administrators

“System Administration is a
multi-faceted problem domain,
not dissimilar from
programmin...
Groovy for System Administrators

At a high level...
Provisioning
Deployment
Management
Groovy for System Administrators

 Provisioning
./“Building” the server
./Creating installation media

./Installing the s...
Groovy for System Administrators

 Deployment
./Getting our app on the server
./Making sure it runs there

./Managing env...
Groovy for System Administrators

 Management
./Maintaining users
./Managing resource authorization

./Designing security
Groovy for System Administrators

“We need to rethink the way
that we build and work with
server environments.”
- Me, just...
Groovy for System Administrators

 Environment Considerations
./Disaster Recovery
./Auditing

./Testing (Test Network)
Groovy for System Administrators

 Environment Considerations
Should be able to rapidly recover
or reproduce an environme...
Groovy for System Administrators

 Programmatic Strategy
./Download install media
./Modify with kickstart
./Produce and a...
Groovy for System Administrators

Build Servers with Gradle
./“Version Control” the infrastructure
./Integrate with CI
./A...
Groovy for System Administrators

Provisioning Gradle Plugin
http://github.com/danveloper/provisioning-gradle-plugin
Groovy for System Administrators
Provisioning and Deployment Through CI
“qa-web-server”
--- application-services (rabbitmq...
Groovy for System Administrators

Authentication Hacking
.with(Groovy)
Groovy for System Administrators
 Pluggable Authentication Modules

*
*
*
*

Account Details
Authentication
Password Chan...
Groovy for System Administrators
 PAM Account & Authentication

./LDAP Integration (pam_ldap)
./Active Directory
./Radius...
Groovy for System Administrators
 PAM Account & Authentication

Why not Spring Security from
Grails?
Groovy for System Administrators
 Pluggable Authentication Modules

pam_exec.so – allows an
external script to provide
fo...
Groovy for System Administrators
 PAM Account & Authentication w/ Grails
Add to /etc/pam.d/login:
auth
account

sufficien...
Groovy for System Administrators

Kernel Hacking
.with(Groovy)
#include <linux/kernel.h>
#include <linux/module.h>
#includ...
Groovy for System Administrators

Kernel Hacking
 The Kernel is modular, allows influence from
external sources
 Provide...
Groovy for System Administrators
 Kernel Space IPC w/ User Space Groovy
Kernel Memory

Userland Memory
procfs
netlink

Ke...
Groovy for System Administrators
 Groovy ACL DSL for Filesystem Behavior

mkdir()

MKDIR

syscall
table

__NR_mkdir

mkdi...
Groovy for System Administrators
 Groovy ACL DSL for Filesystem Behavior
MKDIR
mkdir()

original
mkdir_code

syscall
tabl...
Groovy for System Administrators

Kernel Hacking
Other Thing We Might Do...
 Packet inspection (a la IDS)
 Network manip...
Groovy for System Administrators

try {
“Groovy for System Administrators”()
} finally {
Utilize.groovy() as FullstackInfr...
Upcoming SlideShare
Loading in …5
×

Groovy for System Administrators

2,071 views

Published on

Slides from my talk, "Groovy for System Administrators" at GGX 2013

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,071
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
20
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide
  • in any non-trivial environment, need to build thing in standard way, or at least in a way that somebody else can reproduce
  • “build servers and environments like we build code projects”
  • organizations are steadily shifting from systems-centric to software-centric environments. Why not have your already-robust application authentication manage your server-authentication as well?
  • Tagging packets may allow for a correlation of application user to incoming server packet, may be useful for issue debugging (jetty ajp issue)May want to make a call to the hypervisor to hot-plug a cpu or memory as needed
  • Groovy for System Administrators

    1. 1. London, Dec 2013 Groovy for System Administrators Dan Woods
    2. 2. Groovy for System Administrators About Me @danveloper /danveloper #editor danielpwoods@gmail.com
    3. 3. Groovy for System Administrators About Me
    4. 4. Groovy for System Administrators “System Administration is a multi-faceted problem domain, not dissimilar from programming.” - Me, just now.
    5. 5. Groovy for System Administrators At a high level... Provisioning Deployment Management
    6. 6. Groovy for System Administrators  Provisioning ./“Building” the server ./Creating installation media ./Installing the server
    7. 7. Groovy for System Administrators  Deployment ./Getting our app on the server ./Making sure it runs there ./Managing environment dependencies
    8. 8. Groovy for System Administrators  Management ./Maintaining users ./Managing resource authorization ./Designing security
    9. 9. Groovy for System Administrators “We need to rethink the way that we build and work with server environments.” - Me, just now.
    10. 10. Groovy for System Administrators  Environment Considerations ./Disaster Recovery ./Auditing ./Testing (Test Network)
    11. 11. Groovy for System Administrators  Environment Considerations Should be able to rapidly recover or reproduce an environment from configuration and archives
    12. 12. Groovy for System Administrators  Programmatic Strategy ./Download install media ./Modify with kickstart ./Produce and archive reusable install media
    13. 13. Groovy for System Administrators Build Servers with Gradle ./“Version Control” the infrastructure ./Integrate with CI ./Archive “Builds” for recovery/regeneration purposes ./Whole environment build and deploy
    14. 14. Groovy for System Administrators Provisioning Gradle Plugin http://github.com/danveloper/provisioning-gradle-plugin
    15. 15. Groovy for System Administrators Provisioning and Deployment Through CI “qa-web-server” --- application-services (rabbitmq) `-- build: jar, packaging: rpm `-- deployment: “Network Yum Repo” --- application-webapp (grails) `-- build: war, packaging: rpm `-- deployment: “Network Yum Repo”
    16. 16. Groovy for System Administrators Authentication Hacking .with(Groovy)
    17. 17. Groovy for System Administrators  Pluggable Authentication Modules * * * * Account Details Authentication Password Changes Session Interaction
    18. 18. Groovy for System Administrators  PAM Account & Authentication ./LDAP Integration (pam_ldap) ./Active Directory ./Radius ./etc...
    19. 19. Groovy for System Administrators  PAM Account & Authentication Why not Spring Security from Grails?
    20. 20. Groovy for System Administrators  Pluggable Authentication Modules pam_exec.so – allows an external script to provide for any layer of the PAM stack
    21. 21. Groovy for System Administrators  PAM Account & Authentication w/ Grails Add to /etc/pam.d/login: auth account sufficient sufficient pam_exec.so debug expose_authtok /etc/security/onauth pam_exec.so /etc/security/onaccount Create /etc/security/onauth script and mark it executable: #!/bin/sh pass=`cat`; result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/grails-springsec/auth) if [ "$result" != "success" ]; then exit 1; else /usr/sbin/useradd $PAM_USER -m -k /etc/skel exit 0; fi
    22. 22. Groovy for System Administrators Kernel Hacking .with(Groovy) #include <linux/kernel.h> #include <linux/module.h> #include “groovy.h” #define #define #define #define ITEM_1 ITEM_2 ITEM_3 ITEM_4 “Kernel Space IPC with User Space Groovy” “sys_call_table manipulation” “syscall hacking for Groovy-defined ruleset” “Groovy DSLs for every occasion!”
    23. 23. Groovy for System Administrators Kernel Hacking  The Kernel is modular, allows influence from external sources  Provides a variety of “hooks” into nearly all aspects of the server and its state  Handling of logistical operations, like metrics and reporting  Influence over nearly all of the server’s operation
    24. 24. Groovy for System Administrators  Kernel Space IPC w/ User Space Groovy Kernel Memory Userland Memory procfs netlink Kernel Processes mmap udp Userland Processes
    25. 25. Groovy for System Administrators  Groovy ACL DSL for Filesystem Behavior mkdir() MKDIR syscall table __NR_mkdir mkdir_code filesystem
    26. 26. Groovy for System Administrators  Groovy ACL DSL for Filesystem Behavior MKDIR mkdir() original mkdir_code syscall table intercepted mkdir_code filesystem
    27. 27. Groovy for System Administrators Kernel Hacking Other Thing We Might Do...  Packet inspection (a la IDS)  Network manipulation (rewrite headers, compression, etc)  Tag packets, and correlate with process/application  User and application oriented metrics gathering
    28. 28. Groovy for System Administrators try { “Groovy for System Administrators”() } finally { Utilize.groovy() as FullstackInfrastructureComponent } The end.

    ×