This document discusses certificates in Puppet and provides an overview of certificate management. It begins with an introduction to public key infrastructure (PKI) and the X.509 standard used by Puppet. It then covers Puppet certificate structures, filenames, and the REST API. The document also discusses setting up distributed Puppet environments with multiple certificate authorities and replacing a Puppet CA. It emphasizes the importance of security practices and guidelines for certificate lifecycle management.
An introduction to Zend Framework 1.8 using Zend_Tool, Zend_Application, a simple DAO and a very simple model that uses that DAO.
In the end you have a fully working application
Developers need to be able to run an application on an environment as closely matched to production as possible. We can already do this through Vagrant.The problem with Vagrant is that it is slow and takes a lot of resources both in cpu and space. Docker doesn't have this problem and gives you a tool to create hundreds of different application environments on the same machine and distribute them through a registry. As Git replaced SVN, so has Docker replaced vagrant for application environment setups.Leave the future behind, own today (like a boss).
With Composer as an integral part of Laravel 4 PHP framework, PHP programmers finaly have a way to break the complex projects into smaller independent units (Laravel Packages) that can later easily be used in any other project. This brings code reusibilty to a completely new level. Lecture describes the proccess of creating a simple Laravel package with Facade and Artisan CLI support. Detailed walkthorugh is available as a github project as well: https://github.com/orangehill/Laravel-Workbench-Walkthrough
Building a Perl5 smoketest environment in Docker using CPAN::Reporter::Smoker. Includes an overview of "smoke testing", shell commands to contstruct a hybrid environment with underlying O/S image and data volumes for /opt, /var/lib/CPAN. This allows maintaining the Perly smoke environemnt without having to rebuild it.
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppet
Here are the slides from Thomas Uphill's presentation called Puppet Troubleshooting. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
An introduction to Zend Framework 1.8 using Zend_Tool, Zend_Application, a simple DAO and a very simple model that uses that DAO.
In the end you have a fully working application
Developers need to be able to run an application on an environment as closely matched to production as possible. We can already do this through Vagrant.The problem with Vagrant is that it is slow and takes a lot of resources both in cpu and space. Docker doesn't have this problem and gives you a tool to create hundreds of different application environments on the same machine and distribute them through a registry. As Git replaced SVN, so has Docker replaced vagrant for application environment setups.Leave the future behind, own today (like a boss).
With Composer as an integral part of Laravel 4 PHP framework, PHP programmers finaly have a way to break the complex projects into smaller independent units (Laravel Packages) that can later easily be used in any other project. This brings code reusibilty to a completely new level. Lecture describes the proccess of creating a simple Laravel package with Facade and Artisan CLI support. Detailed walkthorugh is available as a github project as well: https://github.com/orangehill/Laravel-Workbench-Walkthrough
Building a Perl5 smoketest environment in Docker using CPAN::Reporter::Smoker. Includes an overview of "smoke testing", shell commands to contstruct a hybrid environment with underlying O/S image and data volumes for /opt, /var/lib/CPAN. This allows maintaining the Perly smoke environemnt without having to rebuild it.
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells FargoPuppet
Here are the slides from Thomas Uphill's presentation called Puppet Troubleshooting. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa
Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.
At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.
Going native with less coupling: Dependency Injection in C++Daniele Pallastrelli
Slideshow from C++ Meetup Bologna 2014, about the central role of Dependency Injection in OO software.
The slide deck contains detailed explanation about dependency injection in general and C++ frameworks in particular.
This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.
A book for learning puppet by real example and by building code. Chapter 1 gives you basic introduction and sets you up with a server-agent using Vagrant so that you can do hands-on.
Puppet for Java developers - JavaZone NO 2012Carlos Sanchez
Example code at https://github.com/carlossg/puppet-for-java-devs
More info at http://blog.carlossanchez.eu/tag/devops
Video at http://vimeo.com/49483627
Puppet is an infrastructure-as-code tool that allows easy and automated provisioning of servers, defining the packages, configuration, services,... in code. Enabling DevOps culture, tools like Puppet help drive Agile development all the way to operations and systems administration, and along with continuous integration tools like Jenkins, it is a key piece to accomplish repeatability and continuous delivery, automating the operations side during development, QA or production, and enabling testing of systems configuration.
Traditionally a field for system administrators, Puppet can empower developers, allowing both to collaborate coding the infrastructure needed for their developments, whether it runs in hardware, virtual machines or cloud. Developers and sysadmins can define what JDK version must be installed, application server, version, configuration files, war and jar files,... and easily make changes that propagate across all nodes.
Using Vagrant, a command line automation layer for VirtualBox, they can also spin off virtual machines in their local box, easily from scratch with the same configuration as production servers, do development or testing and tear them down afterwards.
We’ll show how to install and manage Puppet nodes with JDK, multiple application server instances with installed web applications, database, configuration files and all the supporting services. Including getting up and running with Vagrant and VirtualBox for quickstart and Puppet experiments, as well as setting up automated testing of the Puppet code.
More info at http://blog.carlossanchez.eu/2011/11/15/from-dev-to-devops-slides-from-apachecon-na-vancouver-2011/
The DevOps movement aims to improve communication between developers and operations teams to solve critical issues such as fear of change and risky deployments. But the same way that Agile development would likely fail without continuous integration tools, the DevOps principles need tools to make them real, and provide the automation required to actually be implemented. Most of the so called DevOps tools focus on the operations side, and there should be more than that, the automation must cover the full process, Dev to QA to Ops and be as automated and agile as possible. Tools in each part of the workflow have evolved in their own silos, and with the support of their own target teams. But a true DevOps mentality requires a seamless process from the start of development to the end in production deployments and maintenance, and for a process to be successful there must be tools that take the burden out of humans.
Apache Maven has arguably been the most successful tool for development, project standardization and automation introduced in the last years. On the operations side we have open source tools like Puppet or Chef that are becoming increasingly popular to automate infrastructure maintenance and server provisioning.
In this presentation we will introduce an end-to-end development-to-production process that will take advantage of Maven and Puppet, each of them at their strong points, and open source tools to automate the handover between them, automating continuous build and deployment, continuous delivery, from source code to any number of application servers managed with Puppet, running either in physical hardware or the cloud, handling new continuous integration builds and releases automatically through several stages and environments such as development, QA, and production.
From Dev to DevOps - Apache Barcamp Spain 2011Carlos Sanchez
UPDATE: updated slides at http://www.slideshare.net/carlossg/from-dev-to-devops-conferencia-agile-spain-2011
The DevOps movement aims to improve communication between developers and operations teams to solve critical issues such as fear of change and risky deployments. But the same way that Agile development would likely fail without continuous integration tools, the DevOps principles need tools to make them real, and provide the automation required to actually be implemented. Most of the so called DevOps tools focus on the operations side, and there should be more than that, the automation must cover the full process, Dev to QA to Ops and be as automated and agile as possible. Tools in each part of the workflow have evolved in their own silos, and with the support of their own target teams. But a true DevOps mentality requires a seamless process from the start of development to the end in production deployments and maintenance, and for a process to be successful there must be tools that take the burden out of humans.
Apache Maven has arguably been the most successful tool for development, project standardization and automation introduced in the last years. On the operations side we have open source tools like Puppet or Chef that are becoming increasingly popular to automate infrastructure maintenance and server provisioning.
In this presentation we will introduce an end-to-end development-to-production process that will take advantage of Maven and Puppet, each of them at their strong points, and open source tools to automate the handover between them, automating continuous build and deployment, continuous delivery, from source code to any number of application servers managed with Puppet, running either in physical hardware or the cloud, handling new continuous integration builds and releases automatically through several stages and environments such as development, QA, and production.
The $path to knowledge: What little it take to unit-test Perl.Workhorse Computing
Metadata-driven lazyness, Perl, and Jenkins provide a nice mix for automated testing. With Perl the only thing required to start testing is a files path, from there the possibilities are endless. Using Symbol's qualify_to_ref makes it easy to validate @EXPORT & @EXPORT_OK, knowing the path makes it easy to use "perl -wc" to get diagnostics.
The beautiful thing is all of it can be lazy... er, "automated". And repeatable. And simple.
This talk covers a basic methodology for finding and fixing problems in a live system. It covers general techniques for finding the source of issues quickly, workarounds, patching, digging into code, when and how to get help.
Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.
Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.
At the moment, cloud CI systems are a highly-demanded service. In this article, we'll tell you how to integrate analysis of source code into a CI cloud platform with the tools that are already available in PVS-Studio. As an example we'll use the Travis CI service.
Going native with less coupling: Dependency Injection in C++Daniele Pallastrelli
Slideshow from C++ Meetup Bologna 2014, about the central role of Dependency Injection in OO software.
The slide deck contains detailed explanation about dependency injection in general and C++ frameworks in particular.
This isn’t your uncle’s “what’s a WAF” talk, I’ll be covering as many cool tricks and advance topics related to deploying Web Application Firewalls. I will show you how to write custom scripts using lua and mod_security, and give first hand experiences of how I used scripting with a WAF to put the security team at my previous job ahead of the game when dealing with web app attacks. I will be including the source code for these example scripts which can be used to provide automatic incident response, counter-intelligence and more.
A book for learning puppet by real example and by building code. Chapter 1 gives you basic introduction and sets you up with a server-agent using Vagrant so that you can do hands-on.
Puppet for Java developers - JavaZone NO 2012Carlos Sanchez
Example code at https://github.com/carlossg/puppet-for-java-devs
More info at http://blog.carlossanchez.eu/tag/devops
Video at http://vimeo.com/49483627
Puppet is an infrastructure-as-code tool that allows easy and automated provisioning of servers, defining the packages, configuration, services,... in code. Enabling DevOps culture, tools like Puppet help drive Agile development all the way to operations and systems administration, and along with continuous integration tools like Jenkins, it is a key piece to accomplish repeatability and continuous delivery, automating the operations side during development, QA or production, and enabling testing of systems configuration.
Traditionally a field for system administrators, Puppet can empower developers, allowing both to collaborate coding the infrastructure needed for their developments, whether it runs in hardware, virtual machines or cloud. Developers and sysadmins can define what JDK version must be installed, application server, version, configuration files, war and jar files,... and easily make changes that propagate across all nodes.
Using Vagrant, a command line automation layer for VirtualBox, they can also spin off virtual machines in their local box, easily from scratch with the same configuration as production servers, do development or testing and tear them down afterwards.
We’ll show how to install and manage Puppet nodes with JDK, multiple application server instances with installed web applications, database, configuration files and all the supporting services. Including getting up and running with Vagrant and VirtualBox for quickstart and Puppet experiments, as well as setting up automated testing of the Puppet code.
More info at http://blog.carlossanchez.eu/2011/11/15/from-dev-to-devops-slides-from-apachecon-na-vancouver-2011/
The DevOps movement aims to improve communication between developers and operations teams to solve critical issues such as fear of change and risky deployments. But the same way that Agile development would likely fail without continuous integration tools, the DevOps principles need tools to make them real, and provide the automation required to actually be implemented. Most of the so called DevOps tools focus on the operations side, and there should be more than that, the automation must cover the full process, Dev to QA to Ops and be as automated and agile as possible. Tools in each part of the workflow have evolved in their own silos, and with the support of their own target teams. But a true DevOps mentality requires a seamless process from the start of development to the end in production deployments and maintenance, and for a process to be successful there must be tools that take the burden out of humans.
Apache Maven has arguably been the most successful tool for development, project standardization and automation introduced in the last years. On the operations side we have open source tools like Puppet or Chef that are becoming increasingly popular to automate infrastructure maintenance and server provisioning.
In this presentation we will introduce an end-to-end development-to-production process that will take advantage of Maven and Puppet, each of them at their strong points, and open source tools to automate the handover between them, automating continuous build and deployment, continuous delivery, from source code to any number of application servers managed with Puppet, running either in physical hardware or the cloud, handling new continuous integration builds and releases automatically through several stages and environments such as development, QA, and production.
From Dev to DevOps - Apache Barcamp Spain 2011Carlos Sanchez
UPDATE: updated slides at http://www.slideshare.net/carlossg/from-dev-to-devops-conferencia-agile-spain-2011
The DevOps movement aims to improve communication between developers and operations teams to solve critical issues such as fear of change and risky deployments. But the same way that Agile development would likely fail without continuous integration tools, the DevOps principles need tools to make them real, and provide the automation required to actually be implemented. Most of the so called DevOps tools focus on the operations side, and there should be more than that, the automation must cover the full process, Dev to QA to Ops and be as automated and agile as possible. Tools in each part of the workflow have evolved in their own silos, and with the support of their own target teams. But a true DevOps mentality requires a seamless process from the start of development to the end in production deployments and maintenance, and for a process to be successful there must be tools that take the burden out of humans.
Apache Maven has arguably been the most successful tool for development, project standardization and automation introduced in the last years. On the operations side we have open source tools like Puppet or Chef that are becoming increasingly popular to automate infrastructure maintenance and server provisioning.
In this presentation we will introduce an end-to-end development-to-production process that will take advantage of Maven and Puppet, each of them at their strong points, and open source tools to automate the handover between them, automating continuous build and deployment, continuous delivery, from source code to any number of application servers managed with Puppet, running either in physical hardware or the cloud, handling new continuous integration builds and releases automatically through several stages and environments such as development, QA, and production.
The $path to knowledge: What little it take to unit-test Perl.Workhorse Computing
Metadata-driven lazyness, Perl, and Jenkins provide a nice mix for automated testing. With Perl the only thing required to start testing is a files path, from there the possibilities are endless. Using Symbol's qualify_to_ref makes it easy to validate @EXPORT & @EXPORT_OK, knowing the path makes it easy to use "perl -wc" to get diagnostics.
The beautiful thing is all of it can be lazy... er, "automated". And repeatable. And simple.
This talk covers a basic methodology for finding and fixing problems in a live system. It covers general techniques for finding the source of issues quickly, workarounds, patching, digging into code, when and how to get help.
Walter Heck, founder of OlinData, presented a step-by-step guide on how to set up a proper puppet repository, complete with the brand new PuppetDB, exported resources and usage of open source modules.
One-Man Ops with Puppet & Friends.
If you're getting started in Amazon AWS here's 7 tools that will help you be successful, a few tips to make your life easier and some common pitfalls to avoid.
Jeremy Adams and Lizzi Lindboe delivered this talk at PuppetConf 2015. You'll learn some REST / HTTP API basics, hear about some useful CLI tools, and get some useful examples that you can try on the Puppet Learning VM or any Puppet Enterprise install.
A guide through where to look for errors when they happen in the various parts of Puppet Enterprise ( the console, Live Management, puppet master, Activemq, MCollective, agent), what some of those errors mean, and what warnings and errors are red herrings/normally occurring.
Celia Cottle
Support Engineer, Puppet Labs
Celia Cottle is a Support Engineer at Puppet Labs, where she troubleshoots and resolves issues for Puppet Enterprise customers. She comes from Portland State University, where she worked for the College of Engineering and Computer Science doing technical support, while getting her degree in Communication. She’s been working in IT for over five years and enjoys problem solving, working with a wide range of OSes and software, and the variety of challenges that supporting Puppet Enterprise brings. She currently resides in Portland, Oregon.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Introduction to InSpec and 1.0 release updateAlex Pop
Contains an introduction to infrastructure and compliance tests as code and how InSpec can be used for this.
Agenda:
* Why infrastructure tests as code
* What is InSpec and how it works
* Core and custom resources
* What's new in InSpec 1.0 (released Sept 26, 2016)
* Documentation and installation
* Integrations
* Demo
* Chef Community Summit
We all love infrastructure as code, we automate everything ™ but how many
of us can really say we could destroy and recreate our core infrastructure
without human intervention. Can you be sure there isnt a DNS problem or
that all the things ™ are done in the right order This talk walks the
audience through a green fields exercise that sets up service discovery
using Consul, infrastructure as code using terraform, using images build
with packer and configured using puppet.
Automating it management with Puppet + ServiceNowPuppet
As the leading IT Service Management and IT Operations Management platform in the marketplace, ServiceNow is used by many organizations to address everything from self service IT requests to Change, Incident and Problem Management. The strength of the platform is in the workflows and processes that are built around the shared data model, represented in the CMDB. This provides the ‘single source of truth’ for the organization.
Puppet Enterprise is a leading automation platform focused on the IT Configuration Management and Compliance space. Puppet Enterprise has a unique perspective on the state of systems being managed, constantly being updated and kept accurate as part of the regular Puppet operation. Puppet Enterprise is the automation engine ensuring that the environment stays consistent and in compliance.
In this webinar, we will explore how to maximize the value of both solutions, with Puppet Enterprise automating the actions required to drive a change, and ServiceNow governing the process around that change, from definition to approval. We will introduce and demonstrate several published integration points between the two solutions, in the areas of Self-Service Infrastructure, Enriched Change Management and Automated Incident Registration.
Simplified Patch Management with Puppet - Oct. 2020Puppet
Does your company struggle with patching systems? If so, you’re not alone — most organizations have attempted to solve this issue by cobbling together multiple tools, processes, and different teams, which can make an already complicated issue worse.
Puppet helps keep hosts healthy, secure and compliant by replacing time-consuming and error prone patching processes with Puppet’s automated patching solution.
Join this webinar to learn how to do the following with Puppet:
Eliminate manual patching processes with pre-built patching automation for Windows and Linux systems.
Gain visibility into patching status across your estate regardless of OS with new patching solution from the PE console.
Ensure your systems are compliant and patched in a healthy state
How Puppet Enterprise makes patch management easy across your Windows and Linux operating systems.
Presented by: Margaret Lee, Product Manager, Puppet, and Ajay Sridhar, Sr. Sales Engineer, Puppet.
2. Thomas Gelf, nice to meet you!
joined NETWAYS in 2010
formerly more than ten years of...
web (application) development
routing/switching: bank/ISP backbones
ISP: Mail, Hosting, SIP-Carrier, IPv6...
9. What this talk is all about
certificates
puppet certificates
REST API
distributed environments
security issues and their consequences
certificate lifecyle
13. Public Key Infrastructure - PKI
everybody has it's own private key
signs or encrypts a message
verification/decryption uses public key
algorithms: RSA, DSA...
15. X.509
describes how our Puppet PKI works
https:// - you use it every day
ITU-T standard
defines a strict hierarchy
a tree instead of a "web of trust"
X509v3: allows extensions
21. Puppet certificates: archeology
Want to see a fresh new Puppet CA? Try it out!
mkdir /tmp/ssltest
puppet master --no-daemonize --verbose
--ssldir /tmp/ssltest
--certname test.example.com
24. Same thing for the agent
puppet agent --test
--ssldir /tmp/sslagent
--certname test.example.com
25. We all know the basics
puppet cert list
puppet cert list --all
puppet cert sign test.example.com
puppet cert revoke test.example.com
puppet cert clean test.example.com
find ./ -name 'test.example.com*' --delete
26. SSL directories
puppet master --configprint ssldir
puppet agent --configprint ssldir
manual configuration makes sense
think about user permissions
~/.puppet, /var/lib/puppet
master and agent on the same host
passenger VS debug (--no-daemonize)
28. Custom data in your certificates
https://docs.puppetlabs.com/puppet/latest/reference
/ssl_attributes_extensions.html
/etc/puppet/csr_attributes.yaml
custom attributes in your CSR
30. Study security guidelines!
Study security guidelines!
Study security guidelines!
STUDY SECURITY GUIDELINES!
puppetlabs.com/mcollective/security-overview
31. Get inspired by existing modules
make sure you understood them
or write your own ones
re-use Puppet certificates
read about trust
and STUDY THE SECURITY GUIDELINES!
33. It's a web application!
<VirtualHost *:8140>
SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+...
SSLHonorCipherOrder on
SSLCertificateFile $ssldir/certs/$fqdn.pem
SSLCertificateKeyFile $ssldir/private_keys/$fqdn.pem
SSLCertificateChainFile $ssldir/ca/ca_crt.pem
SSLCACertificateFile $ssldir/ca/ca_crt.pem
SSLCARevocationFile $ssldir/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
34. The Rest API
# http://docs.puppetlabs.com/guides/rest_api.html
https://master:8140/{environment}/{resource}/{key}
available on puppet master
and on VERY ancient agents (listen=true)
35. Puppet REST API URI examples
GET /{environment}/catalog/{node certificate name}
GET /{environment}/file_bucket_file/md5/{checksum}
GET /{environment}/facts/{node certname}
37. SSL-enabled curl example
Use your certificates and discover the API:
curl
--cert /var/lib/puppet/ssl/certs/host.pem
--key /var/lib/puppet/ssl/private_keys/host.pem
--cacert /var/lib/puppet/ssl/ca/ca_crt.pem
-k -H "Accept: yaml"
https://master:8140/production/facts/somehostname
40. Configuration for such a setup
One CA is more than enough:
[master]
ca = false
[agent]
ca_server = ca.example.com
Optionally, still experimental: DNS SRV records
41. Chain of trust
Since 3.2.1 you can use intermediate CAs to delegate trust
# http://docs.puppetlabs.com/puppet/3/reference
# /config_ssl_external_ca.html
[agent]
ssl_client_ca_auth = $certdir/issuer.pem
Tell Apache about your chain:
SSLCertificateChainFile "/path/to/ca_bundle.pem"
42. It could look like this
+------------------------+
| Root self-signed CA |
+------+----------+------+
| |
+----------+ +------------+
| |
v v
+-----------------+ +----------------+
| Master CA | | Agent CA |
+--------+--------+ +--------+-------+
| |
v v
+-----------------+ +----------------+
| Master SSL Cert | | Agent SSL Cert |
+-----------------+ +----------------+
43. SSL Professional?
integrate it in your existing hierarchy
use your own toolchain
ship signed certificates (carefully)
47. A specific security problem
Very interesting and worth to read: CVE-2011-3872
"In versions prior to 2.6.12 and 2.7.6, the Puppet CA will
improperly insert any certdnsnames values into agent
certificates as well as master certificates. This bug was
introduced in Puppet 0.24.0."
puppet master --configprint certdnsnames
puppet, puppet.example.com
48. Study it!
http://links.puppetlabs.com/cve20113872_remediation
Have a look at the remediation toolkit
And to be on the safe side, check your agent certs:
openssl x509 -in test.example.com.pem -noout -text |
grep 'Subject Alt' -A 1
X509v3 Subject Alternative Name:
DNS:test.example.com, DNS:puppet, DNS:puppet.example.com
49. WARNING
"upgrading" doesn't fix a mess like this
old certificates would remain valid
you have to switch to a new CA...
...and this leads us to the next topic
51. Bad news
Puppet should allow for automatic resigning of SSL certs
http://projects.puppetlabs.com/issues/7272
There is no such thing in Puppet
"...will be available with Puppet Sites"