groovy for system administrators

Groovy for System AdministratorsDan Woods

London, Dec 2013

Groovy for System Administrators

About Me

@danveloper /danveloper

#[email protected]


About Me


“System Administration is a multi-faceted problem domain,

not dissimilar from programming.”

- Me, just now.


At a high level...

Provisioning

Deployment

Management


Provisioning

./“Building” the server

./Creating installation media

./Installing the server


Deployment

./Getting our app on the server

./Making sure it runs there

./Managing environment dependencies


Management

./Maintaining users

./Managing resource authorization

./Designing security


“We need to rethink the way that we build and work with

server environments.” - Me, just now.


Environment Considerations

./Disaster Recovery

./Auditing

./Testing (Test Network)


Environment Considerations

Should be able to rapidly recover or reproduce an environment from

configuration and archives


Programmatic Strategy

./Download install media

./Modify with kickstart

./Produce and archive reusable install media


Build Servers with Gradle./“Version Control” the infrastructure

./Integrate with CI

./Archive “Builds” for recovery/regeneration purposes

./Whole environment build and deploy


Provisioning Gradle Pluginhttp://github.com/danveloper/provisioning-gradle-plugin

http://github.com/danveloper/provisioning-gradle-plugin


Provisioning and Deployment Through CI

“qa-web-server”

\--- application-services (rabbitmq) `-- build: jar, packaging: rpm `-- deployment: “Network Yum Repo”

\--- application-webapp (grails) `-- build: war, packaging: rpm `-- deployment: “Network Yum Repo”


Authentication Hacking.with(Groovy)


Pluggable Authentication Modules

* Account Details * Authentication * Password Changes * Session Interaction


PAM Account & Authentication

./LDAP Integration (pam_ldap)

./Active Directory

./Radius

./etc...


PAM Account & Authentication

Why not Spring Security from Grails?


Pluggable Authentication Modules

pam_exec.so – allows an external script to provide for any layer of the PAM

stack


PAM Account & Authentication w/ GrailsAdd to /etc/pam.d/login:

auth sufficient pam_exec.so debug expose_authtok /etc/security/onauthaccount sufficient pam_exec.so /etc/security/onaccount

Create /etc/security/onauth script and mark it executable:

#!/bin/shpass=`cat`;result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/grails-springsec/auth)if [ "$result" != "success" ]; then exit 1;else /usr/sbin/useradd $PAM_USER -m -k /etc/skel exit 0;fi


Kernel Hacking.with(Groovy)

#include <linux/kernel.h>#include <linux/module.h>#include “groovy.h”

#define ITEM_1 “Kernel Space IPC with User Space Groovy”#define ITEM_2 “sys_call_table manipulation”#define ITEM_3 “syscall hacking for Groovy-defined ruleset”#define ITEM_4 “Groovy DSLs for every occasion!”


Kernel Hacking The Kernel is modular, allows influence from

external sources

Provides a variety of “hooks” into nearly all aspects of the server and its state

Handling of logistical operations, like metrics and reporting

Influence over nearly all of the server’s operation


Kernel Space IPC w/ User Space Groovy

Kernel Memory

Kernel Processes

Userland Memory

Userland Processes

procfs

netlink

mmap

udp


Groovy ACL DSL for Filesystem Behavior

MKDIR

syscalltable

mkdir_code

filesystem

mkdir()

__NR_mkdirwrite the entry


Groovy ACL DSL for Filesystem Behavior

MKDIR

syscalltable

originalmkdir_code

filesystem

mkdir()

__NR_mkdir

write the entry

interceptedmkdir_code

ok to mkdir?

yes?

no


Kernel HackingOther Thing We Might Do...

Packet inspection (a la IDS)

Network manipulation (rewrite headers, compression, etc)

Tag packets, and correlate with process/application

User and application oriented metrics gathering


try { “Groovy for System Administrators”()} finally { Utilize.groovy() as FullstackInfrastructureComponent}

The end.

groovy for system administrators

Technology

system administratorsabout

system administratorsat

system administratorstry

system administratorswe

user space groovy sys

pam stack

server environments

ldap integration pam