2014

Presented by

Cloudy with a chance of FireballsManaging Trusted Instances in the Cloud !!!!eric sorenson eric.sorenson@puppetlabs.com

Presented by

What’s the problem? Why you might care End to End Overview Walkthrough w/ AWS Related work

Presented by

What's the problem?

Presented by

What’s the REAL problem?

Presented by

Presented by

Why you might care

Presented by

Presented by

Presented by

Presented by

Presented by

+-------------------------------+ +-----------+ | | | | | Amazon EC2 API <--------+provisioner| +---------------------^---------+ +-----------+ | | +-------+ +------+---------+ | | | | | node1 +------> puppetmaster | +-------+ +----------------+ !

!

Follow along at home: https://github.com/ahpook/mrzarquon-certsigner/tree/eric0-wip

Presented by

!

+----------------------------+ Prerequisites: |                            |      - Puppetmaster w/IAM credentials |  Amazon EC2 API            | <--+  and autosign policy configured |                            |       | | - AMI with user-data install or +----------------------------+ preloaded agent+ec2-utils, IAM policy permitting query tags !

Presented by

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1411031868000", "Effect": "Allow", "Action": [ "ec2:DescribeTags" ], "Resource": [ "*" ] } ] }

Presented by

+----------------------------+ | | | Amazon EC2 API | | | +------^---------------------+ | +------+------+ | | Your provisioning node requests | Provisioner | <-------+ some new instances using that image, | | tagging them w/ role: 'webserver' +-------------+

Presented by

[vagrant@deglitch ~]$ puppet node_aws --trace --debug create -i ami-37713107 --region=us-west-2 --instance-tags=role=webserver --type=t1.micro --keyname=certsigner --security-group=webservers Debug: Runtime environment: puppet_version=3.6.2 (Puppet Enterprise 3.4.0-rc1-790-gf96f634), ruby_version=1.9.3, run_mode=user, default_encoding=UTF-8 Info: Connecting to AWS us-west-2 ... Done Info: Instance Type: t1.micro Notice: Creating new instance ... Done Info: Instance identifier: i-abc8f0a6 Notice: Creating tags for instance ... Info: Creating tag for Created-By ... Done Info: Creating tag for role ... Done Notice: Creating tags for instance ... Done Notice: Launching server i-abc8f0a6 ... ##### Notice: Server i-abc8f0a6 is now launched Notice: Server i-abc8f0a6 public dns name: ec2-54-68-132-30.us-west-2.compute.amazonaws.com

Presented by

+---------------------------------+ | | | Amazon EC2 + using your image | | | EC2 builds your instances, +----+-----------+-----------+----+ running the user-data script | | | which drops instance-specific | | | metadata into csr_attributes.yaml +---v---+ +---v---+ +---v---+ + | | | | | | | | node1 | | node2 | | node3 | <----------------+ +-------+ +-------+ +-------+

Presented by

Presented by

Presented by

+-------------------------------+ | | Each node generates a CSR which | Amazon EC2 API | embeds the metadata as requested +---------------------^---------+ attributes and submits it to the | puppetmaster, which checks the | instance-ID against EC2 to verify +-------+ +------+---------+ it came from a valid instance. | | | | | node1 +------> puppetmaster | +-------+ +----------------+

Presented by

+-------------------------------+ | | If the API is OK, the puppetmaster | Amazon EC2 API | signs the CSR, moving the tags, +---------------------+---------+ instance-id and any other metadata in | whitelisted extension requests | inside the signed certificate. The +-------+ +------v---------+ signed cert is retrieved by the node | | | | and normal Puppet runs can begin. | node1 <------+ puppetmaster | +-------+ +----------------+

Presented by

openssl x509 -noout -text -in /var/lib/puppet/ssl/ca/signed/i-f3cef5fe.pem [ ... tons of crap trimmed ... ] X509v3 extensions: Netscape Comment: Puppet Ruby/OpenSSL Internal Certificate 1.3.6.1.4.1.34380.1.1.5: webserver 1.3.6.1.4.1.34380.1.1.3: ami-37713107 1.3.6.1.4.1.34380.1.1.2: i-f3cef5fe

Presented by

!

+-------+ +----------------+ When the node checks in, the extensions | | | | will be available under the '$trusted' | node1 +----> puppetmaster | top-scope hash for classification, +-------+ +----------------+ manifests, etc. !

# puppet.conf [master] trusted_node_data = true immutable_node_data = true !

Presented by

## site.pp node default { notify { "trusted_data": message => inline_template("<%= scope.lookupvar('trusted').inspect %>") } } !

## agent output Notice: /Stage[main]/Main/Node[default]/Notify[trusted_data]/message: defined 'message' as ' {"certname"=>"i-f3cef5fe", "authenticated"=>"remote", "extensions"=>{"pp_instance_id"=>"i-f3cef5fe", "pp_image_name"=>"ami-37713107", "1.3.6.1.4.1.34380.1.1.5"=>"webserver"}}'

Presented by

Related and future work!

Signing policy for AWS: mrzarquon-certsigner

Signing policy for GCE: puppetlabs-gce_compute

Signing policy for in-house CMDBs?

Puppet Enterprise Node Manager

Presented by

Presented by

Presented by

Photo/Link CreditsCERN - http://www.slideshare.net/gmccance/cern-data-centre-evolution

Google maps screenshot of Apple Data Center - fair use, with attribution inline Imagery (c) 2014 Google

NSA HQ, fort meade - "National Security Agency headquarters, Fort Meade, Maryland" by Unknown - http://www.nsa.gov/about/photo_gallery/gallery.shtml. Licensed under Public domain via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg#mediaviewer/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg

Bitcoin mining rigs from buttcoin.org http://buttcoin.org/mining-rigs-3

“Cloud City at Sunset” http://balsavor.deviantart.com/art/The-Falcon-escapes-Cloud-city-143511722

han and Lando

Mario Fireball - from http://www.giantbomb.com/fireball/3055-120/

© Yorkberlin | Dreamstime.com - Sorceress With Fireball Photo