View more (including full video and transcript) at: https://www.aptible.com/resources/update-webinar-jan-2017/
The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.
The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products. These webinars feature technical sessions led by Aptible engineers, live demonstrations, customer examples, and Q&A with the Aptible team.
This Aptible Update Webinar covers:
- A preview of Gridiron, our security management and compliance platform
- Improvements to the Enclave deployment process for reliability, predictability and speed
- Enclave database logging
- The Enclave CLI for Windows
- Continual efforts to strengthen Enclave security
Habitat talk at CodeMonsters Sofia, Bulgaria Nov 27 2018Mandi Walls
Similar to Introducing Gridiron Security and Compliance Management Platform and Enclave App Deployment Platform Updates - Aptible January 2017 Webinar (20)
4. Who is Gridiron for?
Gridiron is designed for cloud-first engineering teams that handle
regulated or sensitive data and need to actually take security
seriously.
5. What is Gridiron?
Gridiron is a suite of tools to help software engineers build and
maintain industrial-strength security management programs.
• Makes the administrative side of protecting data easy
• Helps prep for regulatory audits
• Helps prep for customer security reviews
Gridiron:data security::Quickbooks:accounting
19. Guiding principles
We want Enclave to be the best place to deploy your regulated or
sensitive projects. As such, Enclave must provide:
• A robust hosting platform for your apps.
• Good options to store your data in.
• Uncompromising security.
20. What's new on Enclave?
Stronger, more secure deployment platform
More options and control for databases
Broader operating system support in the CLI
(Windows)
22. Deployment Platform
This quarter we:
• Overhauled our deployment engine to support systematic
rollbacks and faster deployments
• Rolled out a new, more secure SSH Portal
• Automated orphan container deletion
24. Dependency-Oriented Deployments
As of Q4 2016, we're coordinating deploys using a dependency-
oriented approach.
This breaks up your deployment in little steps and coordinates them
(in parallel) as a chain of dependencies.
These are the steps you see in the log output when you deploy!
25. $ aptible restart --app pocket-hercules
Restarting app...
INFO -- : STARTING: Register service web in API
INFO -- : COMPLETED (after 0.0s): Register service web in API
INFO -- : STARTING: Schedule service web
INFO -- : COMPLETED (after 0.06s): Schedule service web
INFO -- : STARTING: Import certificate into IAM for endpoint app-2408.on-aptible.com
INFO -- : COMPLETED (after 0.0s): Import certificate into IAM for endpoint app-2408.on-aptible.com
INFO -- : STARTING: Ensure ALB exists for endpoint app-2408.on-aptible.com
INFO -- : COMPLETED (after 2.16s): Ensure ALB exists for endpoint app-2408.on-aptible.com
INFO -- : STARTING: Register service cron in API
INFO -- : COMPLETED (after 0.0s): Register service cron in API
INFO -- : STARTING: Schedule service cron
INFO -- : COMPLETED (after 0.05s): Schedule service cron
INFO -- : STARTING: Stop old app containers for service cron
INFO -- : STARTING: Create new release for service web
INFO -- : COMPLETED (after 0.15s): Create new release for service web
INFO -- : STARTING: Create new release for service cron
INFO -- : COMPLETED (after 0.17s): Create new release for service cron
INFO -- : STARTING: Start app containers for service web
INFO -- : WAITING FOR: Start app containers for service web, Stop old app containers for service cron
INFO -- : COMPLETED (after 2.06s): Start app containers for service web
INFO -- : STARTING: Run HTTP health checks for service web
...
26.
27.
28. Why is this useful?
• Safer Deployments via Systematic Rollbacks
• Faster Deployments via Concurrency
29. Safer Deployments via Systematic Rollbacks
With this new engine, rollbacks are natively built-in to everything
Enclave does.
Deploy: [ do A ] => [ do B ] => [ do C ] => [ do D ]
Rollback: [undo D] => [undo C] => [undo B] => [undo A]
If anything goes wrong at any point, the rollback path is clear.
30. Safer Deployments via Systematic Rollbacks
E.g.0
:
Deploy: [ do A ] => [ do B ] => [ do C ] => [ FAIL D ]
Rollback: [undo C] => [undo B] => [undo A]
0
Real Enclave deployments aren't that simple: each step may have multiple dependencies.
31. Safer Deployments via Systematic Rollbacks
As a result:
• Enclave handles all errors gracefully, including errors we've
never seen before.
• You can safely cancel your own deployments at any point (that is
a new feature for you that shipped in Q4!).
• Aptible support can troubleshoot deployment failures much
faster.
35. Faster Deployments via Concurrency
This new engine executes deployment steps concurrently.
[ do A1 ] =
[ do A2 ] => => [ do B ]
[ do A3 ] =//
In some extreme cases (e.g. an app with numerous Endpoints and
Log Drains being restarted), we've observed the new Enclave being
5 times faster1
!
1
This case was a 10-minute restart turned into a 2-minute restart!
36. Bottom Line
• Your deploys are safer and faster than they ever were.
• The support you receive is better equipped than it ever was.
• You didn't have to do anything2
.
2
These improvements are for v2 only. If you're on legacy v1 infrastructure, you'll need to upgrade (contact support if
that's not done already). If you're unsure, you're almost certainly on v2 already: v2 is the default for new customers
since November 2015.
39. What's The SSH Portal?
The Enclave SSH Portal is used to support aptible ssh, aptible
db:tunnel, and aptible logs.
It's a SSH server running on your dedicated stack, so it's evidently a
sensitive piece of infrastructure.
40. What changed?
We now require a temporary SSH Key in addition to the Aptible
Access Token we always required on the SSH Portal.
The key is valid for 15 minutes, and tied to a single operation and a
single user:
# Logs from the SSH Portal: this ID tells us this is Thomas Orozco (me!) connecting for a DB tunnel.
Accepted publickey for ... from ... port ... ssh2:
RSA-CERT ID SshPortalConnection-a4b45ad8-2f88-4560-8607-28ac8cfa57fb (serial 0)
CA RSA SHA256:Z7jFMLP7HNw9i1Yii/LbX2TOinmrfOoAdZv5MpRuXYU
41. Bottom line
This gives you:
• Defense in depth on your dedicated Enclave infrastructure.
• Strong auditing capabilities (via Aptible).
42. Upgrade your CLI!
This new portal requires using a newer CLI (v0.8.0+), all you have
to do is upgrade.
$ aptible version
aptible-cli v0.8.4 toolbelt
Older CLIs will be deprecated soon to protect you and your
dedicated Enclave infrastructure.
Download the latest CLI: https://aptible.com/support/toolbelt
44. Orphan Container Deletion
In some edge cases, Enclave is not able to stop some existing app
containers when re-deploying your app (e.g. because the EC2
instance the container is hosted on temporarily went offline).
In this case, Enclave proceeds with your deployment:
• It's a good thing because you don't want to block your deployment
due to an unresponsive instance.
• But it can leave orphan containers behind!
45. Orphan Container Deletion
Orphan containers can:
• Waste system resources
• Break background processes like Sidekiq or Celery (when an
orphaned worker container accepts new jobs but runs an old
version of your codebase!)
Enclave now automatically cleans these up for you.
48. Database Support
We're striving to give you more options and control over your
sensitive data.
• Database logs so you can audit what your database is doing.
• SSL Support for Redis so you can use it for PHI.
• RabbitMQ management interface for control over your tasks.
50. Database Logs
Aptible now collects database logs in Log Drains, just like for apps.
• Create a new Log Drain to set this up if you haven't already!
• Use aptible logs --database $HANDLE to review recent
and live logs3
.
3
Here again, you will need to upgrade your CLI to v0.8.0+!
51. Configure your database for logging
• Most databases don't log all queries by default. If that's what you
need, refer to your database documentation, or reach out to
Aptible support, we're happy to help!
• For MySQL specifically, only databases launched after January
19, 2017 may log queries to a Log Drain4
.
4
If you have an older MySQL database and would like access to these logs, just let us know and we'll reload this
database for you off-hours. The database will be unavailable for approximately 30 seconds.
54. SSL is available for all new Redis databases
New Redis databases deployed on Aptible now support SSL5
.
This lets you store PHI in Redis.
5
In addition to the plaintext Redis protocol.
55. The SSL credentials are found in your
Aptible Dashboard6
6
Redis instances launched before January 19, 2017 don't have SSL. If you don't see a SSL credential, that's why. You
can request enabling this via support (just like for MySQL logs).
56. Most Redis clients support SSL out of the box
SSL is not a standard feature of Redis itself, but most Redis clients do
support it out of the box.
The Redis SSL connection URL Enclave provides uses the
rediss:// protocol (with two s), which most clients recognize as
SSL.
If needed, consult your client documentation.
57. CLI Support (v0.8.4+)
When tunnelling to your Redis database, use the --type flag to connect over the SSL
endpoint:
bash-3.2$ aptible db:tunnel big-redis --type redis+ssl
Creating redis+ssl tunnel to big-redis...
Connect at rediss://:REDACTED@localhost.aptible.in:51513
Or, use the following arguments:
* Host: localhost.aptible.in
* Port: 51513
* Password: REDACTED
Connected. Ctrl-C to close connection.
This only affects traffic from the SSH Portal to your Redis instance: traffic from your
workstation to the SSH Portal is of course always encrypted.
59. Database Support
We now expose the RabbitMQ Management Interface7
. This lets you
manage your RabbitMQ instance via rabbitmqadmin or the web UI:
$ ./rabbitmqadmin --user=aptible --password="$PASSWORD" --host="$HOST" --port="$PORT"
--ssl --ssl-ca-cert-file=/etc/ssl/certs/ca-certificates.crt list vhosts
+------+----------+
| name | messages |
+------+----------+
| / | |
| db | |
+------+----------+
7
Here again, RabbitMQ instances launched before January 19, 2017 need to be reloaded. If you can't find your
RabbitMQ management credentials, contact support and we'll reload your RabbitMQ instance for you.
60. Access the RabbitMQ management interface
via a tunnel
aptible db:tunnel $HANDLE --type management
63. The Aptible CLI is now available on Windows
Download it if you're using Windows and haven't done so yet!
https://aptible.com/support/toolbelt
• Desktop: Windows 8.1 64 bits and greater
• Server: Windows 2012r2 64 bits and greater
64. All mainstream operating systems
now supported via the Toolbelt8
OSX, Windows, Ubuntu, Debian, Red Hat
CentOS
8
The Aptible Toolbelt is a package containing the Aptible CLI. It bundles all of the CLI's system dependencies to make
installation a breeze.