![Page 1: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/1.jpg)
Navigating Compliance in a CoreOS WorldPaul Querna | @pquernaCTO, ScaleFT
May 10, 2016
![Page 2: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/2.jpg)
![Page 3: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/3.jpg)
Runs CoreOS
Has 200+ Page Questionnaires
![Page 4: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/4.jpg)
![Page 5: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/5.jpg)
Fun! New! Not Fun! Old!
![Page 6: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/6.jpg)
![Page 7: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/7.jpg)
Many Standards for Many Purposes
https://www.microsoft.com/en-us/trustcenter/Compliance
![Page 8: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/8.jpg)
![Page 9: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/9.jpg)
● Controls (think: things to reduce risk):○ Policies / documentation○ Technical
![Page 10: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/10.jpg)
User Management on CoreOS
![Page 11: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/11.jpg)
User Management Controls
● Unique User IDs● Role based Permissions● Lifecycle Management
![Page 12: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/12.jpg)
First Strategy
1. Put everything into cloud-config
![Page 13: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/13.jpg)
Put everything into cloud-config
#cloud-config
users:- name: paul.querna shell: /bin/bash groups: - sudo - docker sudo: - ALL=(ALL) NOPASSWD:ALL ssh-authorized-keys: [ssh-rsa AAAAB…. [email protected]]
![Page 14: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/14.jpg)
"cloud-init... there are a number of hurdles..."
Alex Crawford2015 CoreOS Fest
![Page 15: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/15.jpg)
Hurdles
● Go code to generate YAML○ Users, fetching keys from git○ Inline script rendering○ systemd unit files
● Reboots○ Deleted user, comes back!
● Changes○ Lifecycle of configurations (including users) != lifecycle of servers
![Page 16: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/16.jpg)
Attempt Two
1. Put “bootstrap” script in cloud-config(from zero today, try Ignition?)
2. Use Ansible for post-boot management
![Page 17: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/17.jpg)
Bootstrap
#cloud-config
write_files:- path: /opt/bin/bootstrap-cc.sh permissions: "0755" owner: root content: |- #!/bin/bash ...coreos: units: - name: bootstrap-cc.service command: start content: | [Unit] Description=bootstrap runcmd [Service] Type=oneshot RemainAfterExit=yes ExecStart=/opt/bin/bootstrap-cc.sh
![Page 18: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/18.jpg)
Ansible on CoreOS Linux
● Python…. Is not in the base system.○ PyPy portable: github.com/squeaky-pl/portable-pypy○ ln -s bin/pypy /opt/bin/python
○ Tell ansible where python is:[coreos:vars]
ansible_python_interpreter="/opt/bin/python"
● Ansible basically* works!○ Shell, Users, File
● Future: rkt fly?
![Page 19: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/19.jpg)
Agents on CoreOS
![Page 20: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/20.jpg)
First Strategy
1. Docker in systemd ● Namespaces● Mounting the universe● Systemd integration (lack of)
![Page 21: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/21.jpg)
Outside of containers
1. Ansible: untar into /opt2. Ansible: creates systemd unit file
● Great for Go & self contained things
![Page 22: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/22.jpg)
Round 3: rkt (fly)
● Tried 12 months ago for all uses: Pain● Tried 60 days ago w/ fly stage1: Yay!
![Page 23: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/23.jpg)
acbuild: pretty easy?
# Start the build with an empty ACIacbuild --debug begin
# Name the ACIacbuild --debug set-name scaleft.com/sftd
# Copy the app to the ACIacbuild --debug copy "${INPUT_SFTD}" /scaleft/bin/sftd
# Set correct file permissions and ownerchmod 0755 .acbuild/currentaci/rootfs/scaleft/bin/sftdchown 0:0 .acbuild/currentaci/rootfs/scaleft/bin/sftd
# Run sftdacbuild --debug set-exec -- /scaleft/bin/sftd
for m in ${MOUNT_DIRS}; do acbuild mount add "${m}" "/${m}"done
acbuild --debug write --overwrite "${OUTPUT_FILE}"
![Page 24: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/24.jpg)
User Management: Via Agent
● Dogfooding our own Agent● ScaleFT Server Daemon manages users● Runs via rkt fly and a systemd unit● www.scaleft.com/docs/sftd-coreos
![Page 25: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/25.jpg)
Logs on CoreOS
![Page 26: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/26.jpg)
Log Controls
● User identification (see User Management)● Action● Timestamp● Prevent modification● Ship to central server
![Page 27: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/27.jpg)
Log Management
- systemd-journald: yay- This is mostly about journal vs classic syslog- More systemd journal integrations happening every day
![Page 28: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/28.jpg)
First Strategy
1. journalctl -o json2. shell script to upload to s3
![Page 29: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/29.jpg)
Round 2: In progress
● journalbeat in rkt fly:○ Pulls from journal using CGO bindings○ Cursor integration○ github.com/mheese/journalbeat
● ACI build:○ github.com/authclub/journalbeat-aci
![Page 30: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/30.jpg)
Updates on CoreOS
![Page 31: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/31.jpg)
Updates Controls
● Change control / documented approval procedures● If Anti-virus, auto-updates: +1● If not: Anti-virus: ?
![Page 32: CoreOS World - paul.querna.org fileUser Management Controls Unique User IDs Role based Permissions Lifecycle Management](https://reader030.vdocument.in/reader030/viewer/2022041216/5e0540971fc8b96902300bd9/html5/thumbnails/32.jpg)
Auto Updates
Here’s how you turn off CoreOS Linux’s original feature:
echo REBOOT_STRATEGY=off | sudo tee -a /etc/coreos/update.conf
See also:
update_engine_client -status
update_engine_client -update
CoreUpdate by CoreOS