trusted confiuratons for umd deployments
play

Trusted confiuratons for UMD deployments Bruce Becker, EGI - PowerPoint PPT Presentation

Aug 20, 2022 •28 likes •278 views

Trusted confiuratons for UMD deployments Bruce Becker, EGI Operatons bruce.becker@eii.eu @brusisceddu brucellino 0000-0002-6607-7145 Bruce Becker | EGI Operations Team | bruce.becker@egi.eu Outline Ansible in the UMD path to

  1. Trusted confiuratons for UMD deployments Bruce Becker, EGI Operatons  bruce.becker@eii.eu  @brusisceddu  brucellino 0000-0002-6607-7145 Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  2. Outline ● Ansible in the UMD path to producton ● A style guide for EGI What makes our roles ‘ours’ ? – How can we trust each others’ work ? – ● Tests and Infrastructure Specifcatons ● Collaboraton and re-usability Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  3. Ansible in the UMD path to producton ● We used to have a unique* confguraton management tool – YAIM ● YAIM solved at least two problems : Confguraton Management : single place in which to express the desired – confguraton state Deployment : executable means to achieve the state – ● UMD products slowly dropped YAIM, favouring one or other tool for confguraton management : Puppet – Ansible – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  4. Site confiuraton manaiement – too many optons ? ● Sites are now freer to choose how to confgure and deploy middleware ● The choice of tool comes down to local expertse and historical preferences ● Support for debugging confguraton issues however becomes harder – community tends to split into ‘if you use this tool, change this variable… oh, sorry you use other tool, can’t help.’ ● Given that there is no objectve measure by which one tool is beter than another, can we fnd a way to support each other? ● IE , does a site admin really have to understand the internals of Puppet or Ansible to confgure the middleware at their site ? Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  5. Ansible or Puppet – does it mater ? ● It is difcult to say why Ansible or Puppet have the following they have in certain environments. ● There are design and ecosystem consideratons which suit diferent scenarios beter in each case ● Both can be used to achieve contnuous, correct deployment ● So : does it mater to the site admin whether a product expresses a preference for either ? I hazard that it should not. ● UMD deployment should be a conservatve force : End states should not depend on the path taken to get there – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  6. Many tools : Why ? Pair proirammini ● First of : Confguraton code is code. Treat it as such. ● Pair programming allows collaboraton and quality code review. ● If both tools should achieve the same state for a given middleware product, we should be able to review each others’ work. ● But they are diferent languages and paradigms? How can we review each others’ work ? Focus on paterns instead of specifc implementaton – Collaborate on the objectve measures of quality – ie the fnal result – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  7. Why ? Cross-validated deployments ● Why are there 4 experiments looking for the Higgs ? ● There are always biases and assumptons in deployment and confguraton scenarios – these make their way into the code for deployment. ● They implicitly exclude certain use cases or scenarios ● Cross-validatng deployments with diferent tools tends to surface these assumptons and force us to confront them. ● A good goal would be to achieve consistent deployments from a given state, regardless of the means to achieve it. Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  8. Why ? : A healthy ecosystem ● Reliance on a single tool and tribal knowledge around it is not a good sign ● Healthy ‘inter-breeding’ of ideas from slightly diferent ways of doing things will probably lead to beter health of the UMD ecosystem and whatever proceeds it. ● We can teach paterns and skills rather than tools – these are useful to industry (beter employability) but also makes it easier for us as a community to atract talent Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  9. EGI in the Ansible universe : the EGI Style Guide ● Ansible is simple but powerful IT automaton – really temptng to just solve problems and be done with it. ● However, this same power leads to massive divergence in the way in which problems are solved, making it difcult to trust that other peoples’ work will work for you. ● e.g. you fnd a role for confguring CREAM : Will it respect my local setup ? – Does it do the network confguraton ? – Who maintains this ? – Is it even correct ? – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  10. Objectve measures ● Step 1 : A Style Guide  EGI-Foundaton/ansible-style-guide ● Expresses opinions on : Documentng roles – Ansible syntax in roles – Testng role scenarios, testng tools – Role release and publicaton – Collaboratng with code – ● Read more : brucellino.github.io/blog/Ansible-Style-Guide ● WIP : egi-foundaton.github.io/ansible-style-guide/ Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  11. Ansible Style Guide rôle Skeleton ● When creatng new roles, one typically uses ansible-galaxy init <role name> ● The default has several important bits ‘missing’ which are necessary for engendering re-use and trust : Issue and PR templates, contributng guide, links to EGI support structures – Relevant platorms which EGI supports in meta.yml – Properly-generated .travis.yml – Proper webhooks on build-passing to galaxy.ansible.com – ● ansible-galaxy init --role-skeleton=ansible-style- guide/egi-galaxy-skeleton high-performance-grid-cloud Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  12. Objectve measures ● Step 2 : A compliance profle  EGI-Foundaton/ansible-fashion-police ● We implement controls (using Inspec) for: Automated testng – GitHub repository confguraton – Role Metadata – Role Skeleton – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  13. One role, many scenarios ● The underlying platorm is changing – clouds, vms, DMZs, containers, etc ● The confguraton tool should not enforce a partcular executon environment, but should express the middleware product appropriately in the respectve environment ● We need to mock and test various producton environments Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  14. Can we apply traditonal TDD to Infrastructure ? ● Molecule provides a general-purpose mock and testng framework for Ansible roles ● Allows developer to defne many deployment scenarios and test against them : ● Easiest is to test in Docker, but can test against OpenStack or bare-metal scenarios, from given startng points Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  15. TDD for Ansible roles Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  16. Infrastructure Models and Specifcatons ● Remember : ‘’UMD deployment should be a conservatve force’’ ● We should be able to model deployments independently of the tool used... Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  17. Infrastructure Models and Specifcatons brucellino.iithub.io/bloi/Style-Guide-In-Acton Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  18. Beter use of infrastructure : Ansible Galaxzy Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  19. Beter use of infrastructure : Ansible Galaxzy Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  20. Beter use of infrastructure : Quay ● CI on Travis pushes to Quay on build-passing : artefacts immediately available for re-use in subsequent steps of the – pipeline ● Something similar could be done for VMS (push to AppDB) ● Vulnerabilites and obsolete packages immediately visibile Can open issues against the repo automatcally – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  21. DevSecOps – thanks clair Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  22. Collaboraton and re-usability ● Puttjng development into context with a solid foundaton and objectve measures makes it easier for operatons to trust the results thereof. ● Both Dev and Ops can agree on the fnal state of the service in given scenarios ● Clear case for following TDD and BDD using relevant tools (TestInfra, Inspec, Cucumber) ● Issues in the fnal state can be traced back to code if there is an unbroken pipeline between commit and deploy. Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  23. DevOps ● For us to achieve DevOps and support many more deployment scenarios - Small sites with few staf, in known scenarios – Unmanned deployments – Diferent deployment platorms – ● … we need product teams and infrastructure engineers to collaborate … Peer review, pull requests, infrastructure specs, documentaton – ● … not on the code of the product itself, but the pipeline for delivering that product in a viable state to the producton environment ● Close links with the ‘lightweght’ sites work from CERN and SKA HPC ecosystem sites in Africa. Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

  24. In summary : ● UMD confguratons should be put through the same rigourous testng as UMD products ● Having more than one tool to achieve producton states is good, as long as there is a community of practce in EGI around those tools ● A community of practce is expressed in the EGI Ansible Style Guide, along with a compliance profle. ● Allows those wantng to develop infrastructure components to do so smoothly and collaboratvely – Operate infrastructure components to do so with confdence – Bruce Becker | EGI Operations Team | bruce.becker@egi.eu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution

TRUSTED MEMORY Software-Based O-Chip Memory Protection for RISC-V Trusted Execution Environments Gui Andrade Krste Asanovi Dayeol Lee David Kohlbrenner Dawn Song University of California, Berkeley TRUSTED MEMORY? Securing data/code

703 views • 48 slides
Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and

Trusted Caregivers, On Demand An app that provides a marketplace of trusted, convenient, and affordable caregivers to families on demand. Why create RestUp? Americans provide $470 Billion in unpaid care in 2015. Emergency Staffing

323 views • 8 slides
Network deployments for universal connectivity Radical solutions to radical problems

Network deployments for universal connectivity Radical solutions to radical problems

Network deployments for universal connectivity Radical solutions to radical problems Universal deployment Private deployments on public space and commons infrastructure Mandatory infrastructure sharing From the experience of a

387 views • 13 slides
Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp;

Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp;

Chinas Dietary Supplement Industry Market Insights Natural Products Expo West March 11, 2017 Your Trusted China Partner Market Overview Your Trusted Partner in China Source: McKinsey &amp; Company Your Trusted Partner in China Consumer

409 views • 29 slides
Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus trustworthy RFC 4949 (Internet Security Glossary) Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system

788 views • 33 slides
for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted

for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted

Towards Verified C specification for TPM API Aybek Mukhamedov, Andy Gordon and Mark Ryan Trusted Platform Module Trusted Computing, an initiative by major IT vendors Functions: integrity measurement, reporting &amp; protected storage

374 views • 16 slides
Challenges and lessons learned with Openstack deployments and

Challenges and lessons learned with Openstack deployments and

Challenges and lessons learned with Openstack deployments and MySQL Sandro Mazzio+a Sr Director Product Management IaaS Who I am o I am not a DB

389 views • 28 slides
? VM VM VM VM VM VM VM VM VM VM VM VM How to interconnect two OpenStack deployments ?

? VM VM VM VM VM VM VM VM VM VM VM VM How to interconnect two OpenStack deployments ?

Neutron-Neutron interconnections Thomas Morin ? VM VM VM VM VM VM VM VM VM VM VM VM How to interconnect two OpenStack deployments ? ( two or more OpenStack ? two regions ?) Between datacenters or between NFV POPs, you may

203 views • 7 slides
Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal

Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal

Trusted Mobile Platforms: Part 1: An introduction to trusted computing Chris Mitchell Royal Holloway, University of London c.mitchell@rhul.ac.uk http://www.isg.rhul.ac.uk/~cjm Contents What is trusted computing? The TCG TCG

1.43k views • 114 slides
Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and

Computer S ecurity: Principles and Practice Chapter 10 Trusted Computing Trusted Computing Chapter 10 and Multilevel Security and Multilevel Security First Edition by William S tallings and Lawrie Brown Lecture slides by Lawrie

636 views • 40 slides
Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny

Trusted Architecture for Trusted Architecture for Securely Shared Services Securely Shared Services Four Layers to Build a Four Layers to Build a Trusted Architecture Trusted Architecture Danny De Cock K.U.Leuven ESAT/COSIC

369 views • 17 slides
A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin,

A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin,

A BAD DREAM: SUBVERTING TRUSTED PLATFORM MODULE WHILE YOU ARE SLEEPING Seunghun Han, Wook Shin, Jun-Hyeok Park, and HyoungChun Kim, National Security Research Institute BACKGROUND Trusted Computing Group (TCG) Trusted Platform Module

375 views • 19 slides
US Federal IPv6 Deployments ION San Diego 11 Dec, 2012

US Federal IPv6 Deployments ION San Diego 11 Dec, 2012

US Federal IPv6 Deployments ION San Diego 11 Dec, 2012 San Diego, CA Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal

459 views • 9 slides
Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h

Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h

Cognitive Radio and Networks in coalition deployments through the dual use of IEEE 802.11h Lorenza Giupponi, Jos Nuez, Iaki Pascual, Josep Mangues Workshop on Network Performance Evaluation, Seattle, 17 of June 2016 1 Outline

585 views • 33 slides
connecting those who need it most ICT/IoT Deployments for Health Care &amp; Disaster Relief ICTP

connecting those who need it most ICT/IoT Deployments for Health Care &amp; Disaster Relief ICTP

connecting those who need it most ICT/IoT Deployments for Health Care &amp; Disaster Relief ICTP Trieste - May 2018 Our mission is to get the tools of Information and Communications Technologies (ICTs) -- computing, Internet access, telephony --

276 views • 23 slides
Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable infrastructure paradigm using your old toolbox. Matteo Valentini @_Amygos Warning! The events depicted in this talk are real. Any similarity to any

824 views • 37 slides
st r t t tst

st r t t tst

st r t t tst rrs r rt sts PP rss

600 views • 34 slides
San Francisco Garden Show: Creating Paradise ~ Gardening for connections to nature Saturday, April

San Francisco Garden Show: Creating Paradise ~ Gardening for connections to nature Saturday, April

San Francisco Garden Show: Creating Paradise ~ Gardening for connections to nature Saturday, April 7, 2018 Jacqueline Bruhn jacq.bruhn@gmail.com gardennh.com Resources: Plants/Seeds: Swan Island Dahlias Renee Shepards: Trombetta di Albenga

346 views • 10 slides
SemEval 2012 STS task http://www.cs.york.ac.uk/semeval-2012/task6/ Eneko Agirre Daniel Cer

SemEval 2012 STS task http://www.cs.york.ac.uk/semeval-2012/task6/ Eneko Agirre Daniel Cer

SemEval 2012 STS task http://www.cs.york.ac.uk/semeval-2012/task6/ Eneko Agirre Daniel Cer Mona Diab Bill Dolan STS workshop Columbia University March 2012 1 Dates Trial dataset: 20 October Call for participation: 25 October Training

312 views • 27 slides
A community of teachers for an active pedagogy in OR Grenoble, France Nadia Brauner, Hadrien

A community of teachers for an active pedagogy in OR Grenoble, France Nadia Brauner, Hadrien

caseine.org A community of teachers for an active pedagogy in OR Grenoble, France Nadia Brauner, Hadrien Cambazard, Nicolas Catusse A training plateform Increase engagement and autonomy of students Better use of teacher time Improve

351 views • 23 slides
Monitoring 6000+ hosts in Zabbix A Pseudo-DevOps journey About me Senior Systems Engineer

Monitoring 6000+ hosts in Zabbix A Pseudo-DevOps journey About me Senior Systems Engineer

Monitoring 6000+ hosts in Zabbix A Pseudo-DevOps journey About me Senior Systems Engineer Tools and Automation Kinetic IT @ Department of Education Co founder of Passive Eye Ltd Open Source contributor Dept. Education ~800 schools

1.17k views • 40 slides
Capture and Concentration of Radiocesium Highly Dispersed in the Environment: A Proposal Fabio

Capture and Concentration of Radiocesium Highly Dispersed in the Environment: A Proposal Fabio

ICTP-IAEA Workshop Trieste, September 12-16 Capture and Concentration of Radiocesium Highly Dispersed in the Environment: A Proposal Fabio Pichierri TOHOKU UNIVERSITY Sendai - Japan OUTLINE: Environmental contamination from the Fukushima

259 views • 25 slides
The Company Canids Confront: Resource Partitioning in Sympatric Carnivores in an Arid Ecosystem

The Company Canids Confront: Resource Partitioning in Sympatric Carnivores in an Arid Ecosystem

The Company Canids Confront: Resource Partitioning in Sympatric Carnivores in an Arid Ecosystem Kadambari Devarajan Post Graduate Program in Wildlife Biology and Conservation, National Center for Biological Sciences, Wildlife Conservation

653 views • 43 slides
Applicability of Free Energy Applicability of Free Energy Calculations using High-Throughput

Applicability of Free Energy Applicability of Free Energy Calculations using High-Throughput

Applicability of Free Energy Applicability of Free Energy Calculations using High-Throughput Calculations using High-Throughput Grid Approach Grid Approach Jan Kmunek, Petr Kulhnek, Zora Stelcov ek, Petr Kulhnek, Zora

482 views • 16 slides

More recommend