Slide 1
Slide 1 text
MAKING INFRASTRUCTURE
S'MORES WITH CHEF
Slide 2
Slide 2 text
WHOAMI
Slide 3
Slide 3 text
WHAT IS CHEF?
▸ Define reusable resources and infrastructure
state as code
▸ Manages deployment and
on-going automation
▸ Community content available
for all common automation tasks
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
DOMAIN EXPERTS
▸ Systems are complicated today
▸ Nobody can know everything about the stack
▸ Let your domain experts contribute their portion directly
Slide 6
Slide 6 text
ANYONE CAN DO ANYTHING?
Slide 7
Slide 7 text
OLD WAY
COMMUNICATE VIA TICKETS
Slide 8
Slide 8 text
NEW WAY
COMMUNICATE VIA CODE
Slide 9
Slide 9 text
CONFIGURATION
DRIFT
Slide 10
Slide 10 text
DON'T DO THINGS BY HAND
Every time someone logs onto a system by hand,
they jeopardize everyone's understanding of the
system
— Mark Burgess
Slide 11
Slide 11 text
PEOPLE MAKE
MISTAKES
THIS DOESN'T SCALE
Slide 12
Slide 12 text
INFRASTRUCTURE AS CODE
Enable the reconstruction of the business from nothing but a source
code repository, an application data backup, and [compute] resources
— Jesse Robins
Slide 13
Slide 13 text
VERSIONED
MODULARIZED
TESTED
Slide 14
Slide 14 text
EXECUTABLE
DOCUMENTATION
Slide 15
Slide 15 text
HOW DO I MAKE SURE
NOBODY MESSES STUFF
UP?
Slide 16
Slide 16 text
TESTING IS ESSENTIAL
Slide 17
Slide 17 text
COMMUNICATE
THROUGH CODE
(REDUX)
Slide 18
Slide 18 text
WHAT HAPPENS WHEN YOU
HAVE ONE GROUP WRITING
ALL THE AUTOMATION?
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
HOW DO WE SOLVE THIS?
Slide 23
Slide 23 text
USE A PIPELINE
Slide 24
Slide 24 text
ENCOURAGE
LOCAL TESTING
WITH
FOODCRITIC
Slide 25
Slide 25 text
EXAMPLE FOODCRITIC CUSTOM RULE
rule 'COMP001', 'Do not allow recipes to mount disk volumes' do
tags %w{recipe compliance}
recipe do |ast|
mountres = find_resources(ast, :type => 'mount').find_all do |cmd|
cmd
end
execres = find_resources(ast, :type => 'execute').find_all do |cmd|
cmd_str = (resource_attribute(cmd, 'command') || resource_name(cmd)).to_s
cmd_str.include?('mount')
end
mountres.concat(execres).map{|cmd| match(cmd)}
end
end
Slide 26
Slide 26 text
ERROR OUTPUT FROM FOODCRITIC
$ foodcritic –I /afs/getchef.com/foodcritic-rules/rules.rb .
COMP001: Do not allow recipes to mount disk volumes: ./recipes/default.rb:20
COMP001: Do not allow recipes to mount disk volumes: ./recipes/default.rb:26
Slide 27
Slide 27 text
CHEF AUDIT MODE AS THE FINAL TEST
Slide 28
Slide 28 text
EXAMPLE OF AN AUDIT COOKBOOK
control '6.9 Ensure FTP Server is not enabled' do
it 'is not running the vsftpd service' do
expect(service('vsftpd')).to_not be_running
expect(service('vsftpd')).to_not be_enabled
end
it 'is not listening on port 21' do
expect(port(21)).to_not be_listening
end
end
Slide 29
Slide 29 text
SECURITY AND COMPLIANCE SHOULD BE
FIRST-CLASS CITIZENS
Slide 30
Slide 30 text
TRUST, BUT VERIFY
Slide 31
Slide 31 text
SEPARATION OF CONCERNS IS
A THINGS
Slide 32
Slide 32 text
AKA
"MY TESTS ARE FAILING, SO I'LL REMOVE
THEM"
Slide 33
Slide 33 text
DEMO TIME
Slide 34
Slide 34 text
TO REVIEW
▸ Trust (but verify) your domain experts
▸ Share the cooking
▸ Foodcritic is your friend
▸ Use your production audit cookbooks in your pipeline
▸ Did I mention test?
Slide 35
Slide 35 text
QUESTIONS?
Slide 36
Slide 36 text
RESOURCES
▸ Sidney Dekker - Field Guide to Human Error
▸ foodcritic.io
▸ learn.chef.io
▸ http://jtimberman.housepub.org/blog/2015/04/03/chef-audit-
mode-introduction/
Slide 37
Slide 37 text
MOAR RESOURCES
▸ twitter.com/mattstratton
▸ speakerdeck.com/mattstratton
▸ github.com/mattstratton/infrastruture-smores
▸ github.com/mattstratton/speaking
▸ arresteddevops.com