using saltstack to auto triage and remediate production systems
TRANSCRIPT
Michael Kehoe Senior Site Reliability Engineer
Using SaltStack to Auto Triage and Remediate Production Systems
Topics
• $ whoami• Salt @ LinkedIn• LinkedIn’s auto remediation story• Nurse• Salt API• Auto-remediation Salt Modules• How to get started
$ whoami
Salt @ LinkedIn
• 11-14k minions per master• Up to 8.5 events/ second per master• Deployment system heavily utilizes Salt• 5 dedicated SRE’s work on LinkedIn’s Salt infrastructure
• Number of SRE’s who also contribute
Alert Growth vs NOC EngineersLinkedIn’s Auto-remediation Story
2010 2011 2012 2013 2014 2015 2016 20170
5000
10000
15000
20000
25000
30000
35000
40000
0
5
10
15
20
25
30
Num of AlertsNum of Engineers
The problemLinkedIn’s Auto-remediation Story
• Growing number of high priority alerts vs Engineers to watch• Complicated ITR’s (runbooks) took time for NOC engineers to
execute and escalate• SRE’s would forget to run diagnostic tooling during outages• Longer MTTR == Bad experience for members
Building the SolutionLinkedIn’s Auto-Remediation Story
• LinkedIn needed a workflow engine• Requirements
• Take automated actions against applications/ hosts• Perform the run book automatically• Appropriate auditing• Scalable
What’s already out thereAutoremediation
• StackStorm• fbar• SaltStack
Started building an in-house solution in Mid-2014
Nurse
Image:freeflaticons.com
Nurse
• ‘Event based’ system• Built on top of LinkedIn’s existing monitoring infrastructure• Allows for manual execution via Web UI• Allows for other systems to plug-in via REST API
• Built in rules-engine• Allows for complicated checks/ branching
• Global environment awareness• Scalable!
Nurse
Nurse
The basicsSalt REST API
• RESTful interface to SALT• Allows for external-authentication
• PAM• LDAP• Your own plugin…
• Built on top of CherryPy
InterfaceSalt REST API
• /login - Log in to receive a session token• /logout - Remove or invalidate sessions• /minions – Working directly with minions• /jobs - Getting lists of previously run jobs or getting the return from a single job• /run - Run commands without normal session handling• /events - Expose the Salt event bus• /hook - A generic web hook entry point that fires an event on Salt's event bus• /keys – Wrapper around key management• /ws - Open a WebSocket connection to Salt's event bus• /stats - Return a dump of statistics collected from the CherryPy server
https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
ConfigurationSalt REST API
external_auth: ldap: headless-nurse: - '*': - test.* - nurse.* - '@jobs'
https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
/etc/salt/master.d/salt-api.conf
ConfigurationSalt REST API
rest_cherrypy: port: 8888 ssl_crt: /etc/salt/pki/api/salt-api.crt ssl_key: /etc/salt/pki/api/salt-api.key
https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html
/etc/salt/master.d/salt-api.conf
ConfigurationSalt REST API
auth.ldap.basedn: 'dc=example,dc=com'auth.ldap.binddn: ’readonly-ldap@example'auth.ldap.bindpw: ’password'auth.ldap.filter: sAMAccountName={{ username }}auth.ldap.server: ldap.example.comauth.ldap.tls: Trueauth.ldap.persontype: 'person'auth.ldap.groupclass: 'group'auth.ldap.groupou: 'Users’
https://docs.saltstack.com/en/latest/topics/eauth/index.html
/etc/salt/master.d/salt-api.conf
Code InterfacesSalt REST API
• There is a Python interface to the Salt API – pepper• Provides basic wrapper around REST API• https://github.com/saltstack/pepper/
• See https://github.com/SUSE/salt-netapi-client for JAVA bindings
Python Code exampleSalt REST API
from pepper.libpepper import Pepper
api = Pepper('https://salt.example.com:8888')api.login('saltdev', 'saltdev', ’ldap')
# Run simple functionapi.low([{'client': 'local', 'tgt': '*', 'fun': 'test.ping'}])
# Execute a runner functionapi.runner('jobs.lookup_jid', jid=12345)
GoalsAuto-remediation Salt Modules
• Auto-triage issues• Reduce context-switching• Run labor intensive tasks automatically• Gather data while engineer is logging in after escalation
• Auto-remediate issues• Let the engineer sleep• Faster MTTR
ImplementationAuto-remediation Salt Modules
• Auto-triage issues• Identify abusive clients• Collect & analyses thread/ heap dumps• Parse & summarize log files
ImplementationAuto-remediation Salt Modules
• Auto-remediate issues• Restart/ OOR applications• Scale-up applications• Blocking abusive clients• Update A/ B experiment definitions• Otherwise escalate…
ImplementationAuto-remediation Salt Modules
• Plenty of Salt modules/ runners already out there• Over 300 modules are available in Salt core• Modules to take remediate & notify
• Write your own• Make sure you test!
SuccessLinkedIn’s Auto-remediation Story
• 854k actions taken• 100% of service health check alerts are on boarded• ~37k man hours have now been automated• Now automating ~1100 hours/ week
SuccessLinkedIn’s Auto-remediation Story
2010 2011 2012 2013 2014 2015 2016 20170
5000
10000
15000
20000
25000
30000
35000
40000
0
5
10
15
20
25
30
Num of AlertsNum of Engineers
Some lessons learntHow to get started
• Need to make decision on how you architecture YOUR ‘event bus’
• Use external monitoring to trigger Salt via API• Use reactors/ beacons internally within Salt’s event bus• See ‘Thorium’ documentation for Salt’s new reactor engine
• Auditing is important!• Need to know what/ who triggered actions
Some lessons learntHow to get started
• Reporting is important!• Need to know how often automated actions are being taken• Find failure hotspots• Leverage event-bus or returners
• Safety first• Don’t give yourself too much rope…
Conclusion
• Think carefully about your ‘Event-Driven-Automation’ architecture
• The sky is the limit with Salt…don’t limit yourself• Again…safety first
29
Questions?Thank You