SlideShare a Scribd company logo

Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet

CFEngine
CFEngine

How to Deploy CFEngine in the Open Internet - a tech talk from Config Management Camp 2015

Technology
1 of 27
Download to read offline
How to Deploy CFEngine in the Open Internet Dimitrios Apostolou jimis@cfengine.com CFEngine AS
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
How do I start with CFEngine? You “bootstrap”...
cf-agent --bootstrap 1.2.3.4 ● Removes all inputs/ ● Generates inputs/failsafe.cf ● Checks if address provided is local; if so: ● Sets am_policy_hub ● Touches state/am_policy_hub ● Checks existence of masterfiles/promises.cf ● Writes policy_server.dat ● Evaluates failsafe.cf
failsafe.cf ● Runs cf-key, i.e. generates ppkeys/localhost.{priv,pub} ● inputs => copy_from hub:/var/cfengine/masterfiles ● cf-execd ● cf-agent -f update.cf
In broad terms, bootstrapping ensures that: ● Policy is copied over from the Hub ● Executor is started ● Agent trusts the Hub
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
Peer's identity: MD5-0123456789abcdef.pub # cf-key -p /var/cfengine/ppkeys/localhost.pub MD5=839bfd0b494358fe67aaf9a607246c41 ➢ A peer trusts all identities that are in ppkeys/ ➢ A peer does not trust anybody else. ● SSH-like: No certificates, no CAs, no CRLs ● SSH-unlike: Two-way trust
Trust Establishment body copy_from: ➔ trustkey => “true”; #failsafe.cf body server control: ➔ trustkeysfrom => {“0.0.0.0/0”}; All connecting peers are always accepted and key is stored as trusted.
Trust Established body copy_from: ➔ trustkey => “false”; #default body server control: ➔ trustkeysfrom => {}; Any connecting peer with an unknown key is immediately rejected.
Trust revocation ● Keep your trustkeysfrom list empty and your ACLs closed down ● Delete respective key file
Standard bootstrapping (easiest) (1) Ensure protected internal network (2) Automatically bootstrap each client (tip: visually verify MD5 IDs) (3) Empty trustkeysfrom and close-down the rest of the ACLs (allowconnects mostly) Note: Client can then be deployed anywhere and even change address, keys are not attached to IPs.
Standard bootstrapping (easiest) (1) Ensure protected internal network (2) Automatically bootstrap each client (tip: visually verify MD5 IDs) (3) Empty trustkeysfrom and close-down the rest of the ACLs (allowconnects mostly) Note: Client can then be deployed anywhere and even change address, keys are not attached to IPs. –- Not recommended in the Open Internet ---
Alternative ways to bootstrap Run from the hub: cf-runagent -i -H $CLIENTIP Manually exchange keys: DEMO
DEMO ● Hub up and running, properly secured (failsafe.cf, update.cf, promises.cf, cf_serverd.cf) ➢ failsafe.cf changed and served in masterfiles ● Client: cf-key # generate key pair ● Client: echo $HUB_IP > policy_server.dat ● Copy failsafe.cf to client's inputs ● Client: running failsafe.cf fails, must copy keys ● cf-key -p gives the MD5 ID of the key ● scp localhost.pub $CLIENT_IP:root-MD5=aaaa.pub ● scp $CLIENT_IP:localhost.pub root-MD5=bbbb.pub ● Client: cf-agent -f failsafe.cf # Success!
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
Why prefer TLS? ● Fully encrypted and integrity checked channel ● Frequently attacked ● Frequently updated ● Industry standard ● Slightly faster (more optimised code), higher grade ciphers ● User experience remains the same – same old trust model, no certificates, no CAs, no CRLs
How to enforce TLS in CFEngine body common control in promises.cf, update.cf, failsafe.cf: ➔ protocol_version => “latest” ➔ trustkey => ”false” body server control: ➔ allowlegacyconnects => {}
Plan is to extend TLS support ● Support new versions of the TLS spec ● More configurability (ciphers, versions etc) ● Change to TLS as default
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
Generic Guideline ● Do not distribute secrets in the policy ➢ Can't avoid secrets' distribution? Encrypt using client's public key, decrypt using clients's private key cf-keycrypt (community effort) https://github.com/cfengineers-net/cf-keycrypt
There are cases that even not-so-sensitive data needs to be protected, e.g. password hashes ● bundle server access_rules: ➔ admit_keys ➔ shortcut
DEMO ● bundle server access_rules: "/var/cfengine/priv/$(connection.key)/shadow" shortcut => "myshadow", admit_keys => { "$(connection.key)" }; ● Agent policy: “/etc/shadow” => remote_cp( “myshadow”, “$(sys.policy_hub)” ); ● Equivalent to “/etc/shadow” => remote_cp( “/var/cfengine/priv/MD5=.../shadow”, “$(sys.policy_hub)” );
Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
Diagnosing Problems TODO: Launch verbose server listening on different port, connect from problematic server to that port! … ;-)
Questions? Ideas? Flames?

Recommended

Cfg Mgmtcamp 2015 - Releases
Cfg Mgmtcamp 2015 - ReleasesCfg Mgmtcamp 2015 - Releases
Cfg Mgmtcamp 2015 - ReleasesCFEngine
 
15 most valuable reports with CFEngine
15 most valuable reports with CFEngine15 most valuable reports with CFEngine
15 most valuable reports with CFEngineCFEngine
 
Introduction to CFEngine Enterprise 3.6.0 Webinar
Introduction to CFEngine Enterprise 3.6.0 WebinarIntroduction to CFEngine Enterprise 3.6.0 Webinar
Introduction to CFEngine Enterprise 3.6.0 WebinarCFEngine
 
cPanel conf 2017 - How to Speak cPanel
cPanel conf 2017 - How to Speak cPanelcPanel conf 2017 - How to Speak cPanel
cPanel conf 2017 - How to Speak cPanelcPanel
 
TYPO3 Performance (T3DD18)
TYPO3 Performance (T3DD18)TYPO3 Performance (T3DD18)
TYPO3 Performance (T3DD18)Marcus Schwemer
 
SAP LVM Custom Operations
SAP LVM Custom OperationsSAP LVM Custom Operations
SAP LVM Custom OperationsAliter Consulting
 
SAP Host Agent x509 authentication
SAP Host Agent x509 authenticationSAP Host Agent x509 authentication
SAP Host Agent x509 authenticationAliter Consulting
 
SAP LVM Post Copy Automation Integration
SAP LVM Post Copy Automation IntegrationSAP LVM Post Copy Automation Integration
SAP LVM Post Copy Automation IntegrationAliter Consulting
 

Recommended

Cfg Mgmtcamp 2015 - Releases
Cfg Mgmtcamp 2015 - ReleasesCfg Mgmtcamp 2015 - Releases
Cfg Mgmtcamp 2015 - ReleasesCFEngine
 
15 most valuable reports with CFEngine
15 most valuable reports with CFEngine15 most valuable reports with CFEngine
15 most valuable reports with CFEngineCFEngine
 
Introduction to CFEngine Enterprise 3.6.0 Webinar
Introduction to CFEngine Enterprise 3.6.0 WebinarIntroduction to CFEngine Enterprise 3.6.0 Webinar
Introduction to CFEngine Enterprise 3.6.0 WebinarCFEngine
 
cPanel conf 2017 - How to Speak cPanel
cPanel conf 2017 - How to Speak cPanelcPanel conf 2017 - How to Speak cPanel
cPanel conf 2017 - How to Speak cPanelcPanel
 
TYPO3 Performance (T3DD18)
TYPO3 Performance (T3DD18)TYPO3 Performance (T3DD18)
TYPO3 Performance (T3DD18)Marcus Schwemer
 
SAP LVM Custom Operations
SAP LVM Custom OperationsSAP LVM Custom Operations
SAP LVM Custom OperationsAliter Consulting
 
SAP Host Agent x509 authentication
SAP Host Agent x509 authenticationSAP Host Agent x509 authentication
SAP Host Agent x509 authenticationAliter Consulting
 
SAP LVM Post Copy Automation Integration
SAP LVM Post Copy Automation IntegrationSAP LVM Post Copy Automation Integration
SAP LVM Post Copy Automation IntegrationAliter Consulting
 
Getting started with CFEngine - Webinar
Getting started with CFEngine - WebinarGetting started with CFEngine - Webinar
Getting started with CFEngine - WebinarCFEngine
 
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring InsightSplunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring InsightSplunk
 
Smuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTPSmuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTPDávid Halász
 
Webmin configuration in Linux
Webmin configuration in LinuxWebmin configuration in Linux
Webmin configuration in LinuxThamizharasan P
 
How to install and configure LEMP stack
How to install and configure LEMP stackHow to install and configure LEMP stack
How to install and configure LEMP stackRootGate
 
Install vtiger crm version 6
Install vtiger crm version 6Install vtiger crm version 6
Install vtiger crm version 6Boy Giwgiw
 
Bluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web ApplicationBluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web ApplicationCraig Trim
 
Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015kacfengine
 
Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreTechExeter
 
Class.devops.chapter.1.intro
Class.devops.chapter.1.introClass.devops.chapter.1.intro
Class.devops.chapter.1.introRoss Tang
 
UEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the HoodUEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the HoodIvanti
 
Joomlasitein60 Part1
Joomlasitein60 Part1Joomlasitein60 Part1
Joomlasitein60 Part1Linda Coonen
 
Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3PerformanceVision (previously SecurActive)
 
Nodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanelNodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanelHTS Hosting
 
New features in PMTA 5.0
New features in PMTA 5.0New features in PMTA 5.0
New features in PMTA 5.0SparkPost
 
Just Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UYJust Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UYVictor Silva
 
SAP LVM Custom Instances
SAP LVM Custom InstancesSAP LVM Custom Instances
SAP LVM Custom InstancesAliter Consulting
 
clustering and load balancing
clustering and load balancingclustering and load balancing
clustering and load balancingPrabhat gangwar
 
Cfengine presentation at the RMLL
Cfengine presentation at the RMLLCfengine presentation at the RMLL
Cfengine presentation at the RMLLRUDDER
 
CFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partnersCFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partnersRUDDER
 
Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3RUDDER
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...RUDDER
 

More Related Content

What's hot

Getting started with CFEngine - Webinar
Getting started with CFEngine - WebinarGetting started with CFEngine - Webinar
Getting started with CFEngine - WebinarCFEngine
 
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring InsightSplunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring InsightSplunk
 
Smuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTPSmuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTPDávid Halász
 
Webmin configuration in Linux
Webmin configuration in LinuxWebmin configuration in Linux
Webmin configuration in LinuxThamizharasan P
 
How to install and configure LEMP stack
How to install and configure LEMP stackHow to install and configure LEMP stack
How to install and configure LEMP stackRootGate
 
Install vtiger crm version 6
Install vtiger crm version 6Install vtiger crm version 6
Install vtiger crm version 6Boy Giwgiw
 
Bluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web ApplicationBluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web ApplicationCraig Trim
 
Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015kacfengine
 
Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreTechExeter
 
Class.devops.chapter.1.intro
Class.devops.chapter.1.introClass.devops.chapter.1.intro
Class.devops.chapter.1.introRoss Tang
 
UEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the HoodUEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the HoodIvanti
 
Joomlasitein60 Part1
Joomlasitein60 Part1Joomlasitein60 Part1
Joomlasitein60 Part1Linda Coonen
 
Nodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanelNodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanelHTS Hosting
 
New features in PMTA 5.0
New features in PMTA 5.0New features in PMTA 5.0
New features in PMTA 5.0SparkPost
 
Just Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UYJust Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UYVictor Silva
 
clustering and load balancing
clustering and load balancingclustering and load balancing
clustering and load balancingPrabhat gangwar
 

What's hot (18)

Getting started with CFEngine - Webinar
Getting started with CFEngine - WebinarGetting started with CFEngine - Webinar
Getting started with CFEngine - Webinar
 
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring InsightSplunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
Splunk conf2014 - Using Selenium and Splunk for Transaction Monitoring Insight
 
Smuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTPSmuggling TCP traffic through HTTP
Smuggling TCP traffic through HTTP
 
Webmin configuration in Linux
Webmin configuration in LinuxWebmin configuration in Linux
Webmin configuration in Linux
 
How to install and configure LEMP stack
How to install and configure LEMP stackHow to install and configure LEMP stack
How to install and configure LEMP stack
 
Install vtiger crm version 6
Install vtiger crm version 6Install vtiger crm version 6
Install vtiger crm version 6
 
Bluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web ApplicationBluemix - Deploying a Java Web Application
Bluemix - Deploying a Java Web Application
 
Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015Releases - CFEngine presentation - Configuration Management Camp 2015
Releases - CFEngine presentation - Configuration Management Camp 2015
 
Automated deployments using envoy by John Blackmore
Automated deployments using envoy by John BlackmoreAutomated deployments using envoy by John Blackmore
Automated deployments using envoy by John Blackmore
 
Class.devops.chapter.1.intro
Class.devops.chapter.1.introClass.devops.chapter.1.intro
Class.devops.chapter.1.intro
 
UEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the HoodUEMB260: Provisioning: Under the Hood
UEMB260: Provisioning: Under the Hood
 
Joomlasitein60 Part1
Joomlasitein60 Part1Joomlasitein60 Part1
Joomlasitein60 Part1
 
Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3Presentation of Performance Vision Version 3.3
Presentation of Performance Vision Version 3.3
 
Nodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanelNodes Roadmap Linked via cPanel
Nodes Roadmap Linked via cPanel
 
New features in PMTA 5.0
New features in PMTA 5.0New features in PMTA 5.0
New features in PMTA 5.0
 
Just Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UYJust Enough Administration: Introduction - PowerShell Meetup UY
Just Enough Administration: Introduction - PowerShell Meetup UY
 
SAP LVM Custom Instances
SAP LVM Custom InstancesSAP LVM Custom Instances
SAP LVM Custom Instances
 
clustering and load balancing
clustering and load balancingclustering and load balancing
clustering and load balancing
 

Viewers also liked

Cfengine presentation at the RMLL
Cfengine presentation at the RMLLCfengine presentation at the RMLL
Cfengine presentation at the RMLLRUDDER
 
CFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partnersCFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partnersRUDDER
 
Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3RUDDER
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...RUDDER
 
Using ncf building blocks to help writing CFEngine policies
Using ncf building blocks to help writing CFEngine policiesUsing ncf building blocks to help writing CFEngine policies
Using ncf building blocks to help writing CFEngine policiesRUDDER
 

Viewers also liked (6)

Cfengine presentation at the RMLL
Cfengine presentation at the RMLLCfengine presentation at the RMLL
Cfengine presentation at the RMLL
 
CFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partnersCFEngine - company, mission, offering and partners
CFEngine - company, mission, offering and partners
 
Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3Configuration management 101 - A tale of disaster recovery using CFEngine 3
Configuration management 101 - A tale of disaster recovery using CFEngine 3
 
Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...Configuration management: automating and rationalizing server setup with CFEn...
Configuration management: automating and rationalizing server setup with CFEn...
 
CFEngine 3
CFEngine 3CFEngine 3
CFEngine 3
 
Using ncf building blocks to help writing CFEngine policies
Using ncf building blocks to help writing CFEngine policiesUsing ncf building blocks to help writing CFEngine policies
Using ncf building blocks to help writing CFEngine policies
 

Similar to Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet

Upgrading from CFEngine2 to CFEngine3 - Webinar Slides
Upgrading from CFEngine2 to CFEngine3 - Webinar SlidesUpgrading from CFEngine2 to CFEngine3 - Webinar Slides
Upgrading from CFEngine2 to CFEngine3 - Webinar SlidesCFEngine
 
How to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your websiteHow to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your websiteVu Long Tran
 
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦Jiun-Yi Chen
 
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusionSetting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusionGavin Pickin
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Cf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionCf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionmcollinsCF
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
ITB2019 Scaling with CommandBox in Production! - Brad Wood
ITB2019 Scaling with CommandBox in Production! - Brad WoodITB2019 Scaling with CommandBox in Production! - Brad Wood
ITB2019 Scaling with CommandBox in Production! - Brad WoodOrtus Solutions, Corp
 
Build & deploy PHP application (intro level)
Build & deploy PHP application (intro level)Build & deploy PHP application (intro level)
Build & deploy PHP application (intro level)Anton Babenko
 
Deploying Symfony | symfony.cat
Deploying Symfony | symfony.catDeploying Symfony | symfony.cat
Deploying Symfony | symfony.catPablo Godel
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Eran Harel
 
Getting Started With CFEngine - Updated Version
Getting Started With CFEngine - Updated VersionGetting Started With CFEngine - Updated Version
Getting Started With CFEngine - Updated VersionCFEngine
 
Itb2018 cf apps to dev to production with command box cf-config docker
Itb2018 cf apps to dev to production with command box cf-config dockerItb2018 cf apps to dev to production with command box cf-config docker
Itb2018 cf apps to dev to production with command box cf-config dockerOrtus Solutions, Corp
 
[MathWorks] Versioning Infrastructure
[MathWorks] Versioning Infrastructure[MathWorks] Versioning Infrastructure
[MathWorks] Versioning InfrastructurePerforce
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 

Similar to Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet (20)

Upgrading from CFEngine2 to CFEngine3 - Webinar Slides
Upgrading from CFEngine2 to CFEngine3 - Webinar SlidesUpgrading from CFEngine2 to CFEngine3 - Webinar Slides
Upgrading from CFEngine2 to CFEngine3 - Webinar Slides
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
How to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your websiteHow to test if Cloudflare is running live for your website
How to test if Cloudflare is running live for your website
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
It gilde 20150209
It gilde 20150209It gilde 20150209
It gilde 20150209
 
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
20190727 HashiCorp Consul Workshop: 管管你們家 config 啦
 
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusionSetting up your Multi Engine Environment - Apache Railo and ColdFusion
Setting up your Multi Engine Environment - Apache Railo and ColdFusion
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Cf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusionCf Summit East 2018 Scaling ColdFusion
Cf Summit East 2018 Scaling ColdFusion
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
ITB2019 Scaling with CommandBox in Production! - Brad Wood
ITB2019 Scaling with CommandBox in Production! - Brad WoodITB2019 Scaling with CommandBox in Production! - Brad Wood
ITB2019 Scaling with CommandBox in Production! - Brad Wood
 
Build & deploy PHP application (intro level)
Build & deploy PHP application (intro level)Build & deploy PHP application (intro level)
Build & deploy PHP application (intro level)
 
Deploying Symfony | symfony.cat
Deploying Symfony | symfony.catDeploying Symfony | symfony.cat
Deploying Symfony | symfony.cat
 
Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)Service discovery like a pro (presented at reversimX)
Service discovery like a pro (presented at reversimX)
 
Getting Started With CFEngine - Updated Version
Getting Started With CFEngine - Updated VersionGetting Started With CFEngine - Updated Version
Getting Started With CFEngine - Updated Version
 
Itb2018 cf apps to dev to production with command box cf-config docker
Itb2018 cf apps to dev to production with command box cf-config dockerItb2018 cf apps to dev to production with command box cf-config docker
Itb2018 cf apps to dev to production with command box cf-config docker
 
[MathWorks] Versioning Infrastructure
[MathWorks] Versioning Infrastructure[MathWorks] Versioning Infrastructure
[MathWorks] Versioning Infrastructure
 
EC CUBE 3.0.x installation guide
EC CUBE 3.0.x installation guideEC CUBE 3.0.x installation guide
EC CUBE 3.0.x installation guide
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Config Management Camp 2015 - How to Deploy CFEngine in the Open Internet

  • 1. How to Deploy CFEngine in the Open Internet Dimitrios Apostolou jimis@cfengine.com CFEngine AS
  • 2. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 3. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 4. How do I start with CFEngine? You “bootstrap”...
  • 5. cf-agent --bootstrap 1.2.3.4 ● Removes all inputs/ ● Generates inputs/failsafe.cf ● Checks if address provided is local; if so: ● Sets am_policy_hub ● Touches state/am_policy_hub ● Checks existence of masterfiles/promises.cf ● Writes policy_server.dat ● Evaluates failsafe.cf
  • 6. failsafe.cf ● Runs cf-key, i.e. generates ppkeys/localhost.{priv,pub} ● inputs => copy_from hub:/var/cfengine/masterfiles ● cf-execd ● cf-agent -f update.cf
  • 7. In broad terms, bootstrapping ensures that: ● Policy is copied over from the Hub ● Executor is started ● Agent trusts the Hub
  • 8. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 9. Peer's identity: MD5-0123456789abcdef.pub # cf-key -p /var/cfengine/ppkeys/localhost.pub MD5=839bfd0b494358fe67aaf9a607246c41 ➢ A peer trusts all identities that are in ppkeys/ ➢ A peer does not trust anybody else. ● SSH-like: No certificates, no CAs, no CRLs ● SSH-unlike: Two-way trust
  • 10. Trust Establishment body copy_from: ➔ trustkey => “true”; #failsafe.cf body server control: ➔ trustkeysfrom => {“0.0.0.0/0”}; All connecting peers are always accepted and key is stored as trusted.
  • 11. Trust Established body copy_from: ➔ trustkey => “false”; #default body server control: ➔ trustkeysfrom => {}; Any connecting peer with an unknown key is immediately rejected.
  • 12. Trust revocation ● Keep your trustkeysfrom list empty and your ACLs closed down ● Delete respective key file
  • 13. Standard bootstrapping (easiest) (1) Ensure protected internal network (2) Automatically bootstrap each client (tip: visually verify MD5 IDs) (3) Empty trustkeysfrom and close-down the rest of the ACLs (allowconnects mostly) Note: Client can then be deployed anywhere and even change address, keys are not attached to IPs.
  • 14. Standard bootstrapping (easiest) (1) Ensure protected internal network (2) Automatically bootstrap each client (tip: visually verify MD5 IDs) (3) Empty trustkeysfrom and close-down the rest of the ACLs (allowconnects mostly) Note: Client can then be deployed anywhere and even change address, keys are not attached to IPs. –- Not recommended in the Open Internet ---
  • 15. Alternative ways to bootstrap Run from the hub: cf-runagent -i -H $CLIENTIP Manually exchange keys: DEMO
  • 16. DEMO ● Hub up and running, properly secured (failsafe.cf, update.cf, promises.cf, cf_serverd.cf) ➢ failsafe.cf changed and served in masterfiles ● Client: cf-key # generate key pair ● Client: echo $HUB_IP > policy_server.dat ● Copy failsafe.cf to client's inputs ● Client: running failsafe.cf fails, must copy keys ● cf-key -p gives the MD5 ID of the key ● scp localhost.pub $CLIENT_IP:root-MD5=aaaa.pub ● scp $CLIENT_IP:localhost.pub root-MD5=bbbb.pub ● Client: cf-agent -f failsafe.cf # Success!
  • 17. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 18. Why prefer TLS? ● Fully encrypted and integrity checked channel ● Frequently attacked ● Frequently updated ● Industry standard ● Slightly faster (more optimised code), higher grade ciphers ● User experience remains the same – same old trust model, no certificates, no CAs, no CRLs
  • 19. How to enforce TLS in CFEngine body common control in promises.cf, update.cf, failsafe.cf: ➔ protocol_version => “latest” ➔ trustkey => ”false” body server control: ➔ allowlegacyconnects => {}
  • 20. Plan is to extend TLS support ● Support new versions of the TLS spec ● More configurability (ciphers, versions etc) ● Change to TLS as default
  • 21. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 22. Generic Guideline ● Do not distribute secrets in the policy ➢ Can't avoid secrets' distribution? Encrypt using client's public key, decrypt using clients's private key cf-keycrypt (community effort) https://github.com/cfengineers-net/cf-keycrypt
  • 23. There are cases that even not-so-sensitive data needs to be protected, e.g. password hashes ● bundle server access_rules: ➔ admit_keys ➔ shortcut
  • 24. DEMO ● bundle server access_rules: "/var/cfengine/priv/$(connection.key)/shadow" shortcut => "myshadow", admit_keys => { "$(connection.key)" }; ● Agent policy: “/etc/shadow” => remote_cp( “myshadow”, “$(sys.policy_hub)” ); ● Equivalent to “/etc/shadow” => remote_cp( “/var/cfengine/priv/MD5=.../shadow”, “$(sys.policy_hub)” );
  • 25. Bootstrapping Trust TLS Protocol Selective Asset Distribution Diagnosing problems
  • 26. Diagnosing Problems TODO: Launch verbose server listening on different port, connect from problematic server to that port! … ;-)