github-classmethod-study-20170426

Transcript

1. GitHub Enterprise;AWSΨ 奲ΕݳΥͱ͵CDP GitHub;μ϶φϮϊϐϖ΄ۣ䔶տ 뺶GitHub x AWS΄๋ෛDevOpsԪఘ뺶 2017/04/26 Ӿઊ ଛလ

   1

2. ᛔ૩奧Օ • Ӿઊ ଛလ • μ϶φϮϊϐϖ AWSԪ䮣᮱ ϊϷϲЄτϴ ЀίЄκϓμϕ •

   AWSΨڥአͭ͵αЀϢ϶΄戔懯/䯤塈/π ЀςϸϓΰЀν • GitHub: knakayama • 奺䵉 • ηЀϤϹςЄϝ΄晁አ3ଙ • AWS 1ଙ 2

3. ίυδЀύ 1. Ք෭͠扖ͯΡٖ਻ 2. AWSΨֵ͜Ӥͽ΄च๜঵㵟 3. GitHub EnterpriseΨֵ͜Ӥͽ΄च๜঵㵟 4. CDP΄奧Օ

   5. Δ;Η 6. ݇ᘍϷЀμ 3

4. ဳ఺ᅩ • GitHub Enterprise΅GHE;ᤒ懿ͯΡ • GHE΅咲ᤒ䦒๋ෛϝЄυϴЀͽ͘Ρ2.9ᔮΨమਧ • AWSΘ匍䦒ᅩ΄ఘ䁭Ψڹ൉΁ͯΡ • 㪒ςЄϠφ;ΘίϐϤϔЄϕ͢෱͚΄ͽڥአͯΡ檭΅๋ෛ΄ఘ

   䁭Ψ݇ᆙͯΡͩ; 4

5. 1. Ք෭͠扖ͯΡٖ਻ • GHEΨAWSͽֵ͹ͼ͚ͥ檭΄抓氂;ͳ΄ᥴဩΨͪ奧Օ • ۆΠ;OpsੀΠ΀ٖ਻͢ग़Η • ஍ͽφ϶αϖل樄ͭΔͯ • ݇ᘍϷЀμΨ㪥ͱͼ͚Ρ΄ͽ托奞ΨᎣΠ͵͚䁰ݳ΅݇ᆙͥͶͫ

   ͚ 5

6. 2. AWSΨֵ͜Ӥͽ΄च๜঵㵟 • ᒫӞ΁ϫϚЄυϖςЄϠφ΄ڥአΨ䭥懵ͯΡͩ; • ਞਧ௔ • ՜ςЄϠφ;΄昧൭ • 晁አ揗រ΄֗仂

   • 䰤伛ςЄϠφͽ΅ᥝկ΁ݳΥ΀͚䁰ݳ΁ᛔړ͵ͷͽ֢Ρ • տᐒ͢ಭ揾ͯΏͣϠυϚφϺυϐμ΁ᵞӾͯΡ 6

7. 3. GHEΨֵ͜Ӥͽ΄च๜঵㵟 • च๜ጱ΁GHEᛔ᫝΄戔ਧΨ୓Ο΀͚ • GHE΄ίϐϤϔЄϕͽ/data/userզक़قͼӤ䨗ͣͫ΢Ρ͵Η • GitHub͢൉׀ͭͼͥ΢ͼ͚Ρ䰤伛䱛ᚆΨֵ͜ • 晁አ揗រΨ֗仂ͭ͵୵ͽGHEΨᓕቘͽͣΡ

   7

8. 4. CDP΄奧Օ 8

9. 抓氂1 9

10. GHEΨαЀόЄϚϐϕ΁ ل樄ͭ͵ͥ΀͚ 10

11. GHEΨαЀόЄϚϐϕ΁ل樄ͭ͵ͥ΀͚ • GitHub.com͘͢Ρ΁Θ樛ΥΟͰGHEΨڥአͯΡ㵕䱛΅͚ͥͺ͘͡Ρ • ψκϲϷϓΰӤ΄ᥝկ͡Οᐒक़΁ϊЄφπЄϖΨᗝͣ͵ͥ΀͚;ᘍ ͞Ρ͠ਮ䯭΅ग़͚ • Ϥ϶αϦЄϕϷϪυϕϷΨϞϣϷϐμ΁ͭͼͭΔ͹͵ • ίμψφκЄΨπϬϐϕ΁ތΗͼͭΔ͹͵

    • ᐒٖ΄LDAPςЄϝͽϺναЀᓕቘͭ͵͚ 11

12. Ϥ϶αϦЄϕNWϞόЄЀ 12

13. 䯤౮ • ᐒٖNW;VPC樌Ψψκϲί΁ള姆 • ϜЄϖγδίVPN • αЀόЄϚϐϕࢧ娄ΨIPsec VPNͽ ิݩ۸ •

    Direct Connect • 䌑አ娄ͽVPC;ള姆 13

14. 晝ਧϪαЀϕ ϜЄϖγδίVPN Direct Connect πφϕ ਞ㭅΀ϦφϕεϢζЄ ϕࢧ娄Θڥአݢᚆ κϰϷί΄䌑አ娄ςЄ Ϡφ΄ॶ夹͢஠ᥝ ϷЄϖόαϭ

    ܨ䦒~ හ昱樌~ 䒏ऒ ิݩ۸΄ηЄϝЄϥϐ ϖ΁ΞΠګᴴ͘Π ~10Gbps ߝ搡 αЀόЄϚϐϕϦЄφ ΄͵Η奺᪠Ӥ΄Ϛϐϕ ϼЄμᇫ䙪΄୽段Ψݑ ͧΡ κϰϷί΁ΞΠߝ搡͢ כ戣ͫ΢ͼ͚Ρ ᵑਸ਼䦒΄ڔΠړͧ αЀόЄϚϐϕϦЄφ ΄͵Ηᛔᐒͽכ೮ͭͼ ͚Ρ塅㾨զक़΄ڔΠړ ͧ͢櫞͚ͭ εЀϖϑЄεЀϖͽͿ ΄奺᪠Ψڥአͭͼ͚Ρ ͡಩ൎͽͣͼ͚Ρ͵Η ྲ斃ጱ਻ฃ https://www.slideshare.net/AmazonWebServicesJapan/aws-black-belt-online-seminar-2016-amazon-vpc/66 14

15. αЀόЄϚϐϕΎ΄ίμψφ • GHE͡ΟαЀόЄϚϐϕ΁ڊͼ͚ͥ͵Η΁΅̵ NAT Gateway͡ᐒٖNW΄οЄϕγδαΨڥአ ͯΡ • ϸЄϕϓЄϣϸ΄戔ਧ΅զӥ΄Ξ͜΁ͯΡ Destination Target

    䯤౮ 0.0.0.0/0 nat-xxx NAT Gateway 奺ኧ 0.0.0.0/0 vgw-xxx ᐒٖοЄϕ γδα奺ኧ 15

16. 抓氂2 16

17. GHE΄ϝϐμίϐϤͭ͢͵͚ 17

18. GHE΄ϝϐμίϐϤͭ͢͵͚ • य़Ԫ΀ϊЄφπЄϖΨכᓕͭͼ͚ΡGHE΄ϝϐμίϐϤ΅஠殾 • ηϧϬφ΀ͿͽϔЄό΄ၾ०᩸ͩ͢Ρݢᚆ௔΅Ϳ΄奲婻ͽΘ͘Ρ • ϝϐμίϐϤ/ϷφϕίͯΡ͵Η΄ϑЄϸΨGitHub͢ل樄ͭͼͥ΢ ͼ͚Ρ • https://github.com/github/backup-utils

    • ͵Ͷ̵ͭϑЄϸΨ䋚ᤈͯΡαЀφόЀφ΄ᓕቘ΅ͭ͵ͥ΀͚ 18

19. ϫϚЄυϖϝϐμίϐϤϞόЄЀ 19

20. DatePipeline • GHE΄ϝϐμίϐϤ㳌ቘΨDatePipeline ͽਧ嬝 • ݱ圵ϔЄό΄ᑏ㵕Κ̵ݐ஑΀ͿΨਧ 嬝ͽͣΡ • ϼЄμϢϺЄΨϠυϲί϶αχ΁ᤒ ᐏͭͼͥ΢Ρ

    • ϝϐμίϐϤ΄Ξ͜΀ϝϐώ㳌ቘ΄ ਧ嬝΁๋晒 20

21. ϼЄμϢϺЄ • φξυϲЄϸͽਧ๗ጱ΁Ec2ResourceΨ᩸ 㵕 • ᩸㵕ͭ͵αЀφόЀφͽ ShellCommandActivityΨ䋚ᤈ • τδϸπϫЀϖ΄Ӿͽghe-backupπϫЀϖ Ψ䋚ᤈ

    • EBSΔ͵΅EFS΁ϝϐμίϐϤϔЄόΨכਂ • ϝϐμίϐϤ΄ݐ஑΁०䤂ͭ͵䁰ݳ̵SNS ϕϡϐμ奺ኧͽᓕቘᘏ΁᭗Ꭳ 21

22. Ϸφϕί • Ϸφϕί䦒΁Ӟ䦒ጱ΁αЀφόЀφΨ ᩸㵕 • ᩸㵕ͭ͵αЀφόЀφͽEBS͡EFSΨϫ γЀϕ • ghe-restore πϫЀϖΨ䋚ᤈͭͼϷφ

    ϕί • ΘͷΣΩ̵Ϸφϕί㳌ቘΨDatePipeline ͽਧ嬝ͯΡͩ;Θݢᚆ 22

23. 抓氂3 23

24. GHE΄Email NotificationΨֵ͚͵͚ 24

25. GHE΄Email NotificationΨֵ͚͵͚ • Email Notification;΅GHE΄αϦЀϕ咲ኞ䦒΁ϮЄϸͽ᭗Ꭳͭ ͼͥ΢Ρ䱛ᚆ • PR/Issue/etc... • GHE΄䁰ݳ̵ᛔړͽᭆמአϮЄϸςЄϝΨ䯤塈ͯΡ஠ᥝ͘͢Ρ

    • ͳ΢አ΄ϮЄϸςЄϝ͢΀͚䁰ݳ̵ͩ΄䱛ᚆΨڥአͯΡ͵ΗͶ ͧ΁䯤塈ͯΡ΄΅τЀϖ͚ 25

26. ϫϚЄυϖEmail Notification ϞόЄЀ 26

27. SES • GHE͡ΟSES奺ኧͽNotificationΨᭆמ • GHE;SES΅㳨ϷЄυϴЀͽΘOK • SES΄ϮЄϸᭆמ΅ϩόЀϪώϪώͽ 墋㶨΁ψϐϕίϐϤݢᚆ • SESΨֵ͜΀ΟϖϮαЀᓕቘΨRoute53

    ͽΚΡ;墋㶨 27

28. ψϐϕίϐϤ • SES厏हΨςЀϖϩϐμφक़΁ᑏ㵕 • SMTP扯戣አIAMϳЄσ΄֢౮ • ᭆמزϖϮαЀ΄扯戣 • GHE΄ϫϚυϮЀϕπЀϊЄϸ͡Ο SMTP΄戔ਧ

    28

29. 抓氂4 29

30. GHEΨ䮭΁ᓕቘͭ͵͚ 30

31. GHEΨ䮭΁ᓕቘͭ͵͚ • GHE΄ϺνΨכਂͭ͵Π̵ϮϕϷμφΨ㷧ᵞͭ͵͚ • ͽΘεЄυδЀϕ΀Ϳ΄ϊϢϕγδίΨGHEᛔ֛΁αЀφϕЄϸͯΡ΄ ΅᭿ͧ͵͚ • Ϻν΅ϢζϼЄϔΰЀνͯΡͩ;΁ΞΠ敢ᭆݢᚆ • ϺναЀઆ䵉/ίϤϷξЄτϴЀϺν/etc...

    • SNMPͽϮϕϷμφΨ㷧ᵞݢᚆ • CPU/φϕϹЄυ਻ᰁ/ϮϯϷ/etc... 31

32. WorkerϞόЄЀ 32

33. Ϻν΄ίЄθαϣ • GHEͽϺνϢζϼЄϔΰЀνΨํ㵁۸ • UDP:514ͽGHE͡ΟϺνΨ㷧ᵞ • fluentd-plugin-s3ͽS3΁כਂ • Ϥ϶αϦЄϕNWϞόЄЀ΄䁰ݳ΅VPC EndpointΨڥአͯΡͩ;

    • S3΅ϔЄόϹαμ;ͭͼڥአݢᚆ΀΄ ͽਖ਼๶ጱ΁ړຉ/ݢ憙۸;͚͹͵ͩ;Θ ݢᚆ 33

34. Ϻν΄哶憙 • GHEͽϺνϢζϼЄϔΰЀνΨํ㵁۸ • fluent-plugin-cloudwatch-logsͽ CloudWatch Logs΁ϺνΨ敢ᭆ • Metrics FilterΨڥአͭͼᇙਧ΄෈ਁڜ

    ΁ϫϐώͭ͵䁰ݳSNSϕϡϐμ΁᭗Ꭳ 34

35. ϷϊЄφ΄哶憙 • GHEͽSNMPϯϘόϷЀνΨํ㵁۸ • CollectdΨαЀφϕЄϸͭ͵αЀφόЀ φͽGHE΄ϮϕϷμφΨSNMP奺ኧͽ 㷧ᵞ • Collectd͡ΟCloudWatch MetricsΎ΄敢

    ᭆ΅AWSلୗϤ϶ναЀΨڥአ • https://github.com/awslabs/collectd- cloudwatch 35

36. 抓氂5 36

37. GHE΁ϫϸώϖϮαЀ戣ก䨗Ψ 戔ਧͭ͵͚ 37

38. GHE΁ϫϸώϖϮαЀ戣ก䨗Ψ戔ਧͭ͵͚ • GHE΅HTTPS᭗מ͢വ䅏 • GHE΁΅Subdomain Isolation;͚͜䱛ᚆ͘͢Πവ䅏戔ਧ • URLΨςϣϖϮαЀ୵ୗ΁ͭͼXSS΁㯪͞Ρ䱛ᚆ • ͩ΄䱛ᚆΨڥአͭͺͺHTTPS᭗מͯΡ͵Η΁΅ϫϸώϖϮαЀ

    戣ก䨗͢஠ᥝ 38

39. Subdomain Isolation Original Path With subdomain isolation http(s)://hostname/gist/ http(s)://gist.hostname/ http(s)://hostname/raw/

    http(s)://raw.hostname/ • SSL戣ก䨗΄ϖϮαЀ͢ *.hostname ;SANͽ hostname ΁䌏䖕ͭͼ͚Ρ஠ᥝ͘͢Ρ • ηϹηϹ戣ก䨗Ͷ;ϣ϶γσ΁ᦄޞ͢ڊͼͭΔ͜ • ᐒٖڥአ΄͵Η΁SSL戣ก䨗Ψ揮͚͵ͥ΀͚ 39

40. ϫϚЄυϖCertificationϞόЄЀ 40

41. ACM • 戣ก䨗΄咲ᤈ΅僻ාͽֵ͞Ρ • 戣ก䨗΄ๅෛ֢䮣΅AWS͢Κ͹ͼͥ΢Ρ • ϫϸώϖϮαЀ戣ก䨗΁Θ䌏䖕 • ACM΅ϖϮαЀ扯戣(DV)΄Ε䌏䖕 •

    䋚ࣁ扯戣(EV)/奲婻扯戣(OV)戣ก䨗΅๚䌏䖕 • ᐒक़΁ل樄ͭ΀͚΄ͽ͘΢ΆACMͽ܈ړ 41

42. ϺЄϖϝ϶Ѐς • GHE΄2.9ᔮ͡ΟϺЄϖϝ϶ЀςΨςϪЄ ϕ • PROXY protocol(വ䅏) • X-Forwarded-For •

    զӥ΄2ͺ΅ᶋ䌏䖕 • ϺЄϖϝ϶ЀτЀν • SSLόЄϬϚЄτϴЀ • GHE΄ڹྦྷ΁ELBΨ戔ᗝ̵ͭͳͩ΁ACMΨ 戔ਧͯΡ 42

43. ϺЄϖϝ϶Ѐς • ALB΅PROXY protocol΁䌏䖕ͭͼ΀͚ ΄ͽCLBΨֵ͜ • Ϥ϶αϦЄϕNWϞόЄЀ΄䁰ݳ΅ Internal ELB 43

44. 44

45. 抓氂6 45

46. GHE΄HA䯤౮Ψ䮭΁ᓕቘͭ͵͚ 46

47. GHE΄HA䯤౮ • GHE΅Active/Standby୵ୗ΄HA䯤౮͢ ݢᚆ • Ϥ϶αϫϷ - ψθЀύϷͽϹϤϷξЄ τϴЀΨ奲Ε̵ϔЄόΨݶ๗ͫͱΡ䯤౮ •

    SSHΚVPNϕЀϚϸΨڥአͭͼ͚Ρ΄ ͽ̵Ϥ϶αϫϷ - ψθЀύϷ樌ͽͳ΢Ο ΄ψϐϕίϐϤΨͭͼͥ͠஠ᥝ͘Π • 戔ਧ΁΅ghe-replᔮ΄πϫЀϖΨڥአͯ Ρ 47

48. HA䯤౮΄ψϐϕίϐϤ # ϹϤϷξЄτϴЀ΄ψϐϕίϐϤ $ ghe-repl-setup <Ϥ϶αϫϷ΄IPίϖϹφ or Ϩφϕݷ> # ϹϤϷξЄτϴЀ΄樄ত

    $ ghe-repl-start # ϹϤϷξЄτϴЀ΄ᇫ䙪嘦扯 $ ghe-repl-status 48

49. ψθЀύϷ΄䥮໒ • Ϥ϶αϫϷ͢ύγЀͭ͵䁰ݳ΁̵ψθ ЀύϷΨϤ϶αϫϷ΁䥮໒ͯΡ # Ϥ϶αϫϷΎ΄䥮໒ $ ghe-repl-promote • 䥮໒䦒΁̵GHE΄FQDNΨψθЀύϷ㯎

    ΁䄜ๅͯΡ஠ᥝ͘͢Ρ • ᵑਸ਼咲ኞ䦒΁DNS΄戔ਧΨ䄜ๅͯΡ΄ ΅ͷΝ͹;τЀϖ͚ 49

50. HA SwappingϞόЄЀ 50

51. DNS΄ڔΠ๊͞ • ELBΨڥአͭͼ͚΢ΆϤ϶αϫϷ/ψθЀ ύϷΨSwapͯ΢ΆOK • ψθЀύϷΨELB΁ίόϐώͯΡ • Ϥ϶αϫϷΨELB͡ΟϔόϐώͯΡ • ELB΄UnHealthyHostCount΁䌏ͭͼ

    AlarmΨ戔ਧ • ϫφόЄ͢ύγЀͭ͵ΟSNSϕϡϐμͽ ί϶Єϕ᭗Ꭳ • ELB΄ݻͣضΨψθЀύϷ΁䄜ๅ 51

52. 5. Δ;Η 52

53. Δ;Η • AWSΨڥአͯΡ΀ΟϫϚЄυϖςЄϠφΨֵ͜͠ • GHEΨ䮭΁ᓕቘͭ͵͚䁰ݳ̵AWS΄ϫϚЄυϖςЄϠφ΅๋晒 • 敋斪΄ٚ咲ก΅䮩ێͭ΀͚ • AWSӤͽGHEΨڥአͭ͵͚;ᘍ͞ͼ͚Ρ䁰ݳ΅ฎᶋͪፘ抨ͥͶ ͚ͫ:)

    53

54. ͠ΥΠ 54

55. 6. ݇ᘍϷЀμ 55

56. Ϥ϶αϦЄϕNWϞόЄЀ • https://www.slideshare.net/AmazonWebServicesJapan/aws- black-belt-online-seminar-2016-amazon-vpc 56

57. ϫϚЄυϖϝϐμίϐϤϞόЄЀ • http://dev.classmethod.jp/cloud/aws/aws-datapipeline-all-pipeline- objects/ • http://dev.classmethod.jp/cloud/aws/creating-efs-backup- environment-with-datapipeline/ • http://dev.classmethod.jp/cloud/aws/github-enterprise-on-aws-5/ •

    https://github.com/awslabs/data-pipeline-samples • https://help.github.com/enterprise/2.9/admin/guides/installation/ backups-and-disaster-recovery/ 57

58. ϫϚЄυϖEmail NotificationϞόЄЀ • http://dev.classmethod.jp/cloud/aws/github-enterprise-on- aws-3/ 58

59. WorkerϞόЄЀ • http://dev.classmethod.jp/cloud/aws/github-enterprise-on-aws-8/ • http://dev.classmethod.jp/cloud/aws/github-enterprise-on-aws-7/ • http://dev.classmethod.jp/cloud/aws/github-enterprise-on-aws-6/ • https://help.github.com/enterprise/2.9/admin/articles/log- forwarding/

    • https://help.github.com/enterprise/2.9/admin/articles/ monitoring-using-snmp/ 59

60. ϫϚЄυϖCertificationϞόЄЀ & HA SwappingϞόЄ Ѐ • http://dev.classmethod.jp/cloud/aws/check_acm_specification/ • https://help.github.com/enterprise/2.9/admin/guides/ installation/using-github-enterprise-with-a-load-balancer/

    60