SlideShare uma empresa Scribd logo

Policy design for sustainability

RUDDER
RUDDER

Rudder has recently gained a lot a new features allowing more flexible configuration, including data management with properties, and dict data types, templating capabilities, plugins to integrate external data, and this will continue in 2018 with parameters for techniques, new group criterias, etc. We also added support for another agent implementation. We will see how to take advantage of these new abilities, both for improving an existing configuration or for setting up a new project, covering: Node classification - Data management - Configuration rules design and management - Best practices for safety

Tecnologia
1 de 17
Baixar para ler offline
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1 Best Practices for long-term Rudder usage in Production Configuration Management Camp 2018 Policy Design for Sustainability
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2 ● Policy Design ● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3 ● Searchability ○ Example : Multidimensional names (i.e. everything “SAP”, every “Config” directive, “name_of_some_os_file”) ○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.) ● Consistance ○ Need to define regex & document how to “build a name” or people will struggle / not bother Naming things
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4 ● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them. ● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3) ● Synchronize data instead of duplicating (datasources plugin) ● Use Global parameters ● User Technique parameters (4.3) Separate “Code” from Data
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5 Technique parameters
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6 ● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.) ● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.) ● Use “In Group” criteria to avoid duplicating criterias (4.3) ● Use lifecycle state (4.3) for node state regarding Rudder Classifying Nodes
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8 ● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles) Designing Rules
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9 ● State vs. Script ● Only use repaired conditions to trigger actions when strictly necessary, use checks methods or idempotent scripts when possible.Repaired condition will only be defined during one run and might never be defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance. ● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error ● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint! Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10 ● Limit Complexity ● Maintain strict independence between different techniques (conditions, variables, etc.) ● Only 1st level dependencies, if >3 dependency on something, raise a well-named condition for it (might incur one more agent run) ● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc) Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11 ● Limit Complexity ● Do not have > ~10 methods in a technique, it becomes unmaintainable ● Use iterators - it creates bad reports but at some point we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit Technique Editor
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12 ● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here) ● Comment distributed files ● Prefer templating/copy over editions: easier to maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state. ● File content technique useful for complex cases. Use sections to limit complexity Managing File Content
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13 ● file copy with check (next minor), more generally use linters/check commands ● Safety checks on variables content for important policies, sane defaults when possible. ● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before) ● Use runtime conditions to unlock dangerous parts of policy with: rudder agent run -D allow_cryptfs_setup Safety Checks
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14 ● Policy Design ● Rudder Usage
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15 ● Dedicated testing environments, and testing nodes in prod environments ○ Need one testing node one per relay, allows for end to end tests PLUS continuous regression testing ○ QA env size recommendation 5%-15%, Test env size 1% Testing
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16 ● Use the audit log messages (tail -f during change, elasticsearch / splunk them) ● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process ● Add documentation in description fields, links to external resources ● Your Rudder config is to your infra what a VCS repository is to your code Traceability and Auditability
Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17 Questions?

Recomendados

What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 
What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 

Recomendados

What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?What if configuration management didn't need to be lvl60 in dev?
What if configuration management didn't need to be lvl60 in dev?RUDDER
 
Servers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofServers compliance: audit, remediation, proof
Servers compliance: audit, remediation, proofRUDDER
 
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?
OSIS 2019 - Qu’apporte l’observabilité à la gestion de configuration ?RUDDER
 
OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?OW2Con - Configurations, do you prove yours?
OW2Con - Configurations, do you prove yours?RUDDER
 
The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0The new plugin ecosystem in RUDDER 5.0
The new plugin ecosystem in RUDDER 5.0RUDDER
 
What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?What uses for observing operations of Configuration Management?
What uses for observing operations of Configuration Management?RUDDER
 
UX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolUX challenges of a UI-centric config management tool
UX challenges of a UI-centric config management toolRUDDER
 
What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?What happened in RUDDER in 2018 and what’s next?
What happened in RUDDER in 2018 and what’s next?RUDDER
 
What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016RUDDER
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Mais conteúdo relacionado

Mais de RUDDER

What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?RUDDER
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?RUDDER
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)RUDDER
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)RUDDER
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresRUDDER
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kRUDDER
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in RudderRUDDER
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...RUDDER
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...RUDDER
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...RUDDER
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...RUDDER
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder RUDDER
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...RUDDER
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into RudderRUDDER
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/RUDDER
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRUDDER
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderRUDDER
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016RUDDER
 

Mais de RUDDER (20)

What is RUDDER and when should I use it?
What is RUDDER and when should I use it?What is RUDDER and when should I use it?
What is RUDDER and when should I use it?
 
Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?Fosdem - Configurations do you prove yours?
Fosdem - Configurations do you prove yours?
 
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)L'audit en continu : clé de la conformité démontrable (#POSS 2018)
L'audit en continu : clé de la conformité démontrable (#POSS 2018)
 
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
Fiabilité et conformité continues en production avec Rudder (#BBOOST 2018)
 
Stay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libresStay up - voyage d'un éditeur de logiciels libres
Stay up - voyage d'un éditeur de logiciels libres
 
How we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50kHow we scaled Rudder to 10k, and the road to 50k
How we scaled Rudder to 10k, and the road to 50k
 
What's new and what's next in Rudder
What's new and what's next in RudderWhat's new and what's next in Rudder
What's new and what's next in Rudder
 
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...Poss 2017 : gestion des configurations et mise en conformité chez un service ...
Poss 2017 : gestion des configurations et mise en conformité chez un service ...
 
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
Poss 2017 - la continuité, arme secrète de la gestion du si - cas concret de ...
 
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
POSS 2017 : Comment automatiser son infrastructure quand... on a pas le temps...
 
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
DevOps D-Day 2017 - Gestion des configurations et mise en conformité chez un ...
 
RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud... RUDDER - Continuous Configuration (configuration management + continuous aud...
RUDDER - Continuous Configuration (configuration management + continuous aud...
 
RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...RUDDER - Continuous Configuration (configuration management + continuous audi...
RUDDER - Continuous Configuration (configuration management + continuous audi...
 
OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder OSIS 2017 - Scala REX dans Rudder
OSIS 2017 - Scala REX dans Rudder
 
Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...Automating the manual - feedback on including existing systems in configurati...
Automating the manual - feedback on including existing systems in configurati...
 
Getting data into Rudder
Getting data into RudderGetting data into Rudder
Getting data into Rudder
 
Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/Automate your automation with Rudder’s API! \o/
Automate your automation with Rudder’s API! \o/
 
Rudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughtsRudder: what's new and what's next? Roadmap, vision and thoughts
Rudder: what's new and what's next? Roadmap, vision and thoughts
 
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with RudderO'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder
 
Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016Automatisation applicative vs automatisation système - LibDay 2016
Automatisation applicative vs automatisation système - LibDay 2016
 

Último

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Policy design for sustainability

  • 1. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 1 Best Practices for long-term Rudder usage in Production Configuration Management Camp 2018 Policy Design for Sustainability
  • 2. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 2 ● Policy Design ● Rudder Usage
  • 3. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 3 ● Searchability ○ Example : Multidimensional names (i.e. everything “SAP”, every “Config” directive, “name_of_some_os_file”) ○ Can now also use tags for this kind of information, specially using key-value tags (“Application” : “HAProxy”, “Type” : “Config”, “Team” : “X”, etc.) ● Consistance ○ Need to define regex & document how to “build a name” or people will struggle / not bother Naming things
  • 4. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 4 ● Security: do not allow any infra data or secrets anywhere in techniques. Use variables or properties to inject them. ● Node properties with sane defaults, use JS engine to avoid duplication: “${rudder.node.hostname}”.substring(0,3) ● Synchronize data instead of duplicating (datasources plugin) ● Use Global parameters ● User Technique parameters (4.3) Separate “Code” from Data
  • 5. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 5 Technique parameters
  • 6. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 6 ● Make technical groups from inventory (“Debian 9.2”, “Physical Node”, etc.) ● Make business groups from inventory or properties (“Production”, “Load Balancer”, etc.) ● Use “In Group” criteria to avoid duplicating criterias (4.3) ● Use lifecycle state (4.3) for node state regarding Rudder Classifying Nodes
  • 7. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 7
  • 8. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 8 ● Optimize your directives so that they can be attached to N rules as needed (opt-in, i.e. for things like X11 libs or compiler bundles) Designing Rules
  • 9. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 9 ● State vs. Script ● Only use repaired conditions to trigger actions when strictly necessary, use checks methods or idempotent scripts when possible.Repaired condition will only be defined during one run and might never be defined again. If the run in interrupted or the conditioned method fails, your policy will not be fully applied, and it will not be visible in the displayed compliance. ● Wrap unix commands etc. into wrapper scripts that DO THEIR JOB aka fully abstract the application commands to know if they are kept, changed or in error ● Sort by method, not by flow (all files, all permissions, all executions). You’re not scripting, you’re drawing a blueprint! Technique Editor
  • 10. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 10 ● Limit Complexity ● Maintain strict independence between different techniques (conditions, variables, etc.) ● Only 1st level dependencies, if >3 dependency on something, raise a well-named condition for it (might incur one more agent run) ● Break apart package install, configuration (and sometimes even split out daemon management) and communications (server registration etc) Technique Editor
  • 11. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 11 ● Limit Complexity ● Do not have > ~10 methods in a technique, it becomes unmaintainable ● Use iterators - it creates bad reports but at some point we’ll get you to fix that. Package policies without iterators are unmaintainable, and other things benefit Technique Editor
  • 12. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 12 ● Have very precise headers for managed files (file is managed in whole by Rudder rule X directive Y, do not edit here) ● Comment distributed files ● Prefer templating/copy over editions: easier to maintain, avoids partial application and undefined variables, state definition is absolute, and not relative to previous state. ● File content technique useful for complex cases. Use sections to limit complexity Managing File Content
  • 13. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 13 ● file copy with check (next minor), more generally use linters/check commands ● Safety checks on variables content for important policies, sane defaults when possible. ● Use audit mode to assess current state on nodes (for existing nodes or items that were not Rudder-controlled before) ● Use runtime conditions to unlock dangerous parts of policy with: rudder agent run -D allow_cryptfs_setup Safety Checks
  • 14. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 14 ● Policy Design ● Rudder Usage
  • 15. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 15 ● Dedicated testing environments, and testing nodes in prod environments ○ Need one testing node one per relay, allows for end to end tests PLUS continuous regression testing ○ QA env size recommendation 5%-15%, Test env size 1% Testing
  • 16. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 16 ● Use the audit log messages (tail -f during change, elasticsearch / splunk them) ● Maintain distributed files and templates in a VCS repository (that can be the configuration-repository) with proper log/review process ● Add documentation in description fields, links to external resources ● Your Rudder config is to your infra what a VCS repository is to your code Traceability and Auditability
  • 17. Normation – 87 rue de Turbigo, 75003 PARIS, France contact@normation.com – +33 1.83.62.26.96 – http://www.normation.com/ 17 Questions?