groovy for system administrators
DESCRIPTION
Slides from my talk, "Groovy for System Administrators" at GGX 2013TRANSCRIPT
Groovy for System AdministratorsDan Woods
London, Dec 2013
Groovy for System Administrators
About Me
Groovy for System Administrators
“System Administration is a multi-faceted problem domain,
not dissimilar from programming.”
- Me, just now.
Groovy for System Administrators
At a high level...
Provisioning
Deployment
Management
Groovy for System Administrators
Provisioning
./“Building” the server
./Creating installation media
./Installing the server
Groovy for System Administrators
Deployment
./Getting our app on the server
./Making sure it runs there
./Managing environment dependencies
Groovy for System Administrators
Management
./Maintaining users
./Managing resource authorization
./Designing security
Groovy for System Administrators
“We need to rethink the way that we build and work with
server environments.” - Me, just now.
Groovy for System Administrators
Environment Considerations
./Disaster Recovery
./Auditing
./Testing (Test Network)
Groovy for System Administrators
Environment Considerations
Should be able to rapidly recover or reproduce an environment from
configuration and archives
Groovy for System Administrators
Programmatic Strategy
./Download install media
./Modify with kickstart
./Produce and archive reusable install media
Groovy for System Administrators
Build Servers with Gradle./“Version Control” the infrastructure
./Integrate with CI
./Archive “Builds” for recovery/regeneration purposes
./Whole environment build and deploy
Groovy for System Administrators
Provisioning Gradle Pluginhttp://github.com/danveloper/provisioning-gradle-plugin
Groovy for System Administrators
Provisioning and Deployment Through CI
“qa-web-server”
\--- application-services (rabbitmq) `-- build: jar, packaging: rpm `-- deployment: “Network Yum Repo”
\--- application-webapp (grails) `-- build: war, packaging: rpm `-- deployment: “Network Yum Repo”
Groovy for System Administrators
Authentication Hacking.with(Groovy)
Groovy for System Administrators
Pluggable Authentication Modules
* Account Details * Authentication * Password Changes * Session Interaction
Groovy for System Administrators
PAM Account & Authentication
./LDAP Integration (pam_ldap)
./Active Directory
./Radius
./etc...
Groovy for System Administrators
PAM Account & Authentication
Why not Spring Security from Grails?
Groovy for System Administrators
Pluggable Authentication Modules
pam_exec.so – allows an external script to provide for any layer of the PAM
stack
Groovy for System Administrators
PAM Account & Authentication w/ GrailsAdd to /etc/pam.d/login:
auth sufficient pam_exec.so debug expose_authtok /etc/security/onauthaccount sufficient pam_exec.so /etc/security/onaccount
Create /etc/security/onauth script and mark it executable:
#!/bin/shpass=`cat`;result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/grails-springsec/auth)if [ "$result" != "success" ]; then exit 1;else /usr/sbin/useradd $PAM_USER -m -k /etc/skel exit 0;fi
Groovy for System Administrators
Kernel Hacking.with(Groovy)
#include <linux/kernel.h>#include <linux/module.h>#include “groovy.h”
#define ITEM_1 “Kernel Space IPC with User Space Groovy”#define ITEM_2 “sys_call_table manipulation”#define ITEM_3 “syscall hacking for Groovy-defined ruleset”#define ITEM_4 “Groovy DSLs for every occasion!”
Groovy for System Administrators
Kernel Hacking The Kernel is modular, allows influence from
external sources
Provides a variety of “hooks” into nearly all aspects of the server and its state
Handling of logistical operations, like metrics and reporting
Influence over nearly all of the server’s operation
Groovy for System Administrators
Kernel Space IPC w/ User Space Groovy
Kernel Memory
Kernel Processes
Userland Memory
Userland Processes
procfs
netlink
mmap
udp
Groovy for System Administrators
Groovy ACL DSL for Filesystem Behavior
MKDIR
syscalltable
mkdir_code
filesystem
mkdir()
__NR_mkdirwrite the entry
Groovy for System Administrators
Groovy ACL DSL for Filesystem Behavior
MKDIR
syscalltable
originalmkdir_code
filesystem
mkdir()
__NR_mkdir
write the entry
interceptedmkdir_code
ok to mkdir?
yes?
no
Groovy for System Administrators
Kernel HackingOther Thing We Might Do...
Packet inspection (a la IDS)
Network manipulation (rewrite headers, compression, etc)
Tag packets, and correlate with process/application
User and application oriented metrics gathering
Groovy for System Administrators
try { “Groovy for System Administrators”()} finally { Utilize.groovy() as FullstackInfrastructureComponent}
The end.