Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Policy design for sustainability

94 views

Published on

Rudder has recently gained a lot a new features allowing more flexible configuration, including data management with properties, and dict data types, templating capabilities, plugins to integrate external data, and this will continue in 2018 with parameters for techniques, new group criterias, etc. We also added support for another agent implementation. We will see how to take advantage of these new abilities, both for improving an existing configuration or for setting up a new project, covering:

Node classification
- Data management
- Configuration rules design and management
- Best practices for safety

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Policy design for sustainability

  1. 1. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1 Best Practices for long-term Rudder usage in Production Configuration Management Camp 2018 Policy Design for Sustainability
  2. 2. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2 ● Policy Design ● Rudder Usage
  3. 3. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3 ● Searchability ○ Example : Multidimensional names (i.e. everything “SAP”, every “Config” directive, “name_of_some_os_file”) ○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.) ● Consistance ○ Need to define regex & document how to “build a name” or people will struggle / not bother Naming things
  4. 4. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4 ● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them. ● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3) ● Synchronize data instead of duplicating (datasources plugin) ● Use Global parameters ● User Technique parameters (4.3) Separate “Code” from Data
  5. 5. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5 Technique parameters
  6. 6. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6 ● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.) ● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.) ● Use “In Group” criteria to avoid duplicating criterias (4.3) ● Use lifecycle state (4.3) for node state regarding Rudder Classifying Nodes
  7. 7. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
  8. 8. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8 ● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles) Designing Rules
  9. 9. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9 ● State vs. Script ● Only use repaired conditions to trigger actions when strictly necessary, use checks methods or idempotent scripts when possible.Repaired condition will only be defined during one run and might never be defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance. ● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error ● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint! Technique Editor
  10. 10. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10 ● Limit Complexity ● Maintain strict independence between different techniques (conditions, variables, etc.) ● Only 1st level dependencies, if >3 dependency on something, raise a well-named condition for it (might incur one more agent run) ● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc) Technique Editor
  11. 11. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11 ● Limit Complexity ● Do not have > ~10 methods in a technique, it becomes unmaintainable ● Use iterators - it creates bad reports but at some point we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit Technique Editor
  12. 12. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12 ● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here) ● Comment distributed files ● Prefer templating/copy over editions: easier to maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state. ● File content technique useful for complex cases. Use sections to limit complexity Managing File Content
  13. 13. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13 ● file copy with check (next minor), more generally use linters/check commands ● Safety checks on variables content for important policies, sane defaults when possible. ● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before) ● Use runtime conditions to unlock dangerous parts of policy with: rudder agent run -D allow_cryptfs_setup Safety Checks
  14. 14. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14 ● Policy Design ● Rudder Usage
  15. 15. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15 ● Dedicated testing environments, and testing nodes in prod environments ○ Need one testing node one per relay, allows for end to end tests PLUS continuous regression testing ○ QA env size recommendation 5%-15%, Test env size 1% Testing
  16. 16. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16 ● Use the audit log messages (tail -f during change, elasticsearch / splunk them) ● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process ● Add documentation in description fields, links to external resources ● Your Rudder config is to your infra what a VCS repository is to your code Traceability and Auditability
  17. 17. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17 Questions?

×