Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Briding DevOps Islands with Pantry

Briding DevOps Islands with Pantry

A talk I gave at Mountain West DevOps 2014 announcing Pantry, the DevOps Pipeline Framework!

http://pantryops.org/
http://collectiveidea.com/

Jason Roelofs

March 24, 2014
Tweet

More Decks by Jason Roelofs

Other Decks in Technology

Transcript

  1. collectiveidea.com What is Pantry? • Plugin-based • Client / Server

    • Asynchronous • Remote Execution Framework
  2. collectiveidea.com What is Pantry? • DevOps Pipeline/Automation Framework • Use

    your tools of choice • Convention over Configuration
  3. collectiveidea.com Our Problem App Cookbooks Application Info App Cookbooks Application

    Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info All Chef All Different Keep adding more! App Cookbooks Application Info
  4. collectiveidea.com Chef Server App Cookbooks Application Info App Cookbooks Application

    Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info Organizations don’t share.
  5. collectiveidea.com Librarian • Only cursory glance • Still just a

    Chef-only solution • Other tools coming into play
  6. collectiveidea.com Drop Chef? • Throwing away thousands of hours of

    work • Years of knowledge • No guarantee other tools do this better
  7. collectiveidea.com State of DevOps • Lots of great, proven tools

    • Open and helpful communities • Lots of custom development still required
  8. collectiveidea.com New Stack Questions • Where do I store my

    data? • How do I provision new servers? • How do I configure the servers? • How do I share configurations? • How do I keep all of this secure?
  9. collectiveidea.com Sharing Configs • Get this for free! • No

    artificial access limitations • Doesn’t mean Pantry isn’t secure
  10. collectiveidea.com Using Pantry • gem install pantry • gem install

    [pantry plugin] • pantry-server • pantry-client • pantry
  11. collectiveidea.com Dependencies • Ruby 2.0+ • ZeroMQ 3.x • ZeroMQ

    4.x + libsodium • Plans for omnibus installer
  12. collectiveidea.com Using Pantry :: CLI • Run Commands in a

    Pantry Network • All, Some, or One Client ! • pantry -a my_app -e production status • pantry -a my_app -e staging chef:run
  13. collectiveidea.com Our Problem App Cookbooks Application Info App Cookbooks Application

    Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info App Cookbooks Application Info All Chef All Different Keep adding more! App Cookbooks Application Info
  14. collectiveidea.com Pantry Chef Cookbooks App1 Application Info App 2 Application

    Info App 3 Application Info App 4 Application Info App 5 Application Info Server Cookbooks App 5 Application Info Client Cookbooks App 3 Application Info Client Cookbooks App 2 Application Info Client
  15. collectiveidea.com Pantry Chef • No account/users/permissions management • No cookbook

    versioning • Lazy cookbook dependencies • Use Chef configuration files (roles, envs)
  16. collectiveidea.com Pantry Chef • pantry chef:cookbook:upload • pantry -a app

    chef:environment:upload • pantry -a app chef:role:upload • pantry -a app chef:data_bag:upload • pantry -a app chef:run
  17. collectiveidea.com Security • Don’t build your own • Getting it

    wrong has dire consequences • What is and isn’t secure?
  18. collectiveidea.com Security in Pantry • The default is … None!

    • Plain text communication • Tool like socat and stunnel recommended
  19. collectiveidea.com OpenSSL? • The defacto standard, but… • So many

    protocols and ciphers available • Best Practices are regularly changing • No built-in support in ZeroMQ
  20. collectiveidea.com Curve 25519 • Elliptical Curve Cryptography (ECC) • Uses

    the prime number 2^255 - 19 • Uninfluenced by NIST, NSA, etc • ArsTechnica on ECC • http://cr.yp.to/ecdh.html
  21. collectiveidea.com CurveZMQ • Improved implementation of CurveCP • NaCl and

    libsodium • Prevents many common attacks • Still young, not yet vetted • http://curvezmq.org
  22. collectiveidea.com Attacks: Alter / Forge Packet • Any change invalidates

    the whole packet • Valid packet creation requires secret key
  23. collectiveidea.com Attacks: Key Theft • Stream encrypted with transient keys

    • Transient keys discarded at end of connection • Can only brute-force a saved stream
  24. collectiveidea.com CurveZMQ in Pantry • Clients and CLI need three

    keys • Public, Private, Server Public Key • Server has list of valid Client public keys • Server generates new Client key pairs
  25. collectiveidea.com Is Pantry Secure? • Yes, but opt-in • Use

    at own risk • Improvements coming regularly
  26. collectiveidea.com Recap • Pantry is a DevOps Pipeline Framework •

    Remove the tedium from DevOps • Pantry and Pantry Chef out now • More on the way!
  27. collectiveidea.com Celluloid • IS AWESOME! • Because concurrency sucks •

    Actors, Futures, Conditionals, etc • Celluloid-ZMQ