diskless cluster computing: security benefit of onesis and git

1SANS Technology Institute - Candidate for Master of Science Degree 1

Diskless Cluster Computing: Security Benefit of oneSIS and

Git

Aron WarrenSeptember 2012

GIAC GSEC, GCIH, GCIA

Overview

• oneSIS

• Git

• Using Git to track an OS image

SANS Technology Institute - Candidate for Master of Science Degree 2

• History• Reason it exists

– Improve sysadmin efficiency & accuracy

– Reduce number of systems to maintain

– Keeps the spirit

• How it worksSANS Technology Institute - Candidate for Master of Science Degree 3

oneSIS Intro


oneSIS in Action

DISTRO: RedHat EL-6 –spRAMSIZE: 500mNODECLASS_REGEX mountain\d+ myclusterNODECLASS_RANGE mountain[1-5] mycluster.computeNODECLASS_RANGE mountain[6-10] mycluster.webLINKDIR: /root -dLINKDIR: /tmp –dLINKDIR: /var/log -dLINKDIR: /var/run –dLINKFILE: /etc/fstabSERVICE httpd –c myclass.web

Symlinks in action

[root@mountain1 ~]# ls -la /etc/fstablrwxrwxrwx 1 root root 14 Aug 1 2011 /etc/fstab -> /ram/etc/fstab[root@mountain1 ~]# ls -la /ram/etc/fstablrwxrwxrwx 1 root root 21 May 22 12:04 /ram/etc/fstab -> /etc/fstab.mycluster.compute[root@mountain1 ~]# ls -la /etc/fstab.mycluster.compute-rw-r--r-- 1 root root 972 Jun 5 2008 /etc/fstab.mycluster.compute[root@mountain1 ~]# ls -la /etc/fstab.*-rw-r--r-- 1 root root 312 Jun 2 2008 /etc/fstab.default-rw--r--r-- 1 root root 852 Oct 30 2011 /etc/fstab.mycluster.compute-rw--r--r-- 1 root root 852 Oct 31 2011 /etc/fstab.mycluster.web



Git and our Goal

• History• Reasons to use it

– Multiple, simultaneous collaborators– Decentralized repositories– Binary files

• What we want to achieve?• How we achieve it?

Git in Action

[root@server]# cd /var/lib/oneSIS/images/image-prod[root@server image-prod]# git initInitialized empty Git repository in /var/lib/oneSIS/images/image-prod/.git/

[root@server image-prod]# cat .gitignoredevproc

[root@server image-prod]# tar cvf dev.tar dev/*

[root@server image-prod]# find . -name .git -prune -o -type d -empty -exec touch {}/.gitignore \;


Git in Action Part 2

[root@localhost image-prod]# cd .git/hooks/[root@localhost hooks]# cp /usr/share/git-core /contrib/hooks/* .

setgitperms.perl :[root@localhost image-prod]# cd .git/hooks/[root@localhost hooks]# cp /usr/share/git-core /contrib/hooks/* .

[root@server image-prod]# git add -f *


Git in Action – Final Bits

[root@server image-prod]# git commit -m "Initial Commit" --author="Aron Warren <[email protected]>" [master (root-commit) 3311f7e] Initial Commit Author: Aron Warren <[email protected]> Committer: root <[email protected]> 310406 files changed, 41830189 insertions(+), 0 deletions(-) create mode 100644 .gitmeta create mode 100755 bin/alsaunmute create mode 100755 bin/arch...



Pros

• Integrity

• Rollback of Changes

• Immediate Rollout of Changes (single pull) – Leads to Staged Rollouts


Cons

• RPMs

• Image size grows over time

• File permissions

Some commands that help

• diff –u .gitmeta <(.git/hooks/setgitperms.perl –r –s)

• git update-index --really-refresh• git clean -d -f• git reset --hard commit-id



Sneak Peek

• Version 3

• Fixes the above mentioned issues

• Much more flexibility

Reference Materials

• Google. (2007, May 14). Tech Talk: Linus Torvalds on git . Retrieved February 25, 2012, from YouTube: http://www.youtube.com/watch?v=4XpnKHJAok8

• Schroeder, B., Gibson, G. A. (2007). Understanding disk failure rates: What does an MTTF of 1,000,000 hours mean to you?. Trans. Storage, 3(3), 8:1-8:31. DOI=10.1145/1288783.1288785



Summary

• oneSIS + Git = easy way to manage a diskless image

• Provides image integrity• Provides easy upgrade and

rollback paths

diskless cluster computing: security benefit of onesis and git

Documents