VMworld 2013: Automating IT Configuration and Compliance Management for Your Cloud
Automating the manual - feedback on including existing systems in configuration management
-
Upload
normation -
Category
Technology
-
view
61 -
download
0
Transcript of Automating the manual - feedback on including existing systems in configuration management
![Page 1: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/1.jpg)
Normation – CC-BY-SAnormation.com
Including existing systems in configuration
management
Nicolas CHARLES [email protected]@nico_charles
![Page 2: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/2.jpg)
Normation – CC-BY-SAnormation.com
Issue
Most systems are still not automatically managed
● Configuration Management has recently become mainstream
● It's not yet an habit
● A lot of running systems predate configuration management
● Lack of upgrade paths (dependency to dead applications)
● Systems cannot be modified (lost knowledge)
● Systems with stale errors no-one can fix
![Page 3: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/3.jpg)
Normation – CC-BY-SAnormation.com
Issue
Most systems are still not automatically managed
● Configuration Management has recently become mainstream
● It's not yet an habit
● A lot of running systems predate configuration management
● Lack of upgrade paths (dependency to dead applications)
● Systems cannot be modified (lost knowledge)
● Systems with stale errors no-one can fix
Why couldn't we benefit from cfgmgmt on these systems?
![Page 4: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/4.jpg)
Normation – CC-BY-SAnormation.com
Why Rudder?
Rudder is very well suited for this use-case
● Support a lot of different OSes and heterogeneous systems
● Audit mode
● Web Interface
● API to add and extract data
![Page 5: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/5.jpg)
Normation – CC-BY-SAnormation.com
Identifying systems
First, identify the systems and their role(s)
● It can be harder than expected
● Some systems may be known only by sub-parts of the team
● Roles may be unknown from most
● Select those in scope for cfgmgmt
● Having an up-to-date CMDB, Wiki, spreadsheet… helps a lot
Make a list of these systems
● In a spreadsheet
![Page 6: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/6.jpg)
Normation – CC-BY-SAnormation.com
Identifying systems
![Page 7: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/7.jpg)
Normation – CC-BY-SAnormation.com
Inventory systems
Make an inventory of all theses systems
● During maintenance windows, install Rudder agent
● Inventory will be sent to Rudder server
● Extract them with the API into the spreadsheet
● Set these nodes in Audit mode in Rudder
● Validate the roles
● Based on installed software and running processes
● Based on naming convention, networks
● Based on previous knowledge (expectation may not match reality)
![Page 8: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/8.jpg)
Normation – CC-BY-SAnormation.com
Inventory systems
![Page 9: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/9.jpg)
Normation – CC-BY-SAnormation.com
Group the systems
Multidimensional approach for grouping systems
● Per roles
● Nodes with same role ought to have 'identical' config
● Per security level
● Hardening, access rules, authorizations
● Per generation of system installation
● Installation procedures, best practices and know-how evolved over
time
● Per OS
● Per system type (physical server, embedded device, ...)
![Page 10: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/10.jpg)
Normation – CC-BY-SAnormation.com
Group the systems
Extract common rules
● Based on documented procedures, available know-how, expectations
● List them in the spreadsheet, with
● Detailed Description
● Groups they should apply to
● Status in Rudder: implemented and compliant
![Page 11: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/11.jpg)
Normation – CC-BY-SAnormation.com
Group the systems
![Page 12: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/12.jpg)
Normation – CC-BY-SAnormation.com
Audit the rules
Configure the Rules and Directives in Rudder
● Use same names in Spreadsheet and in Rudder
● Rules and Directives in Audit mode
● Get compliance result
● Extract data using the API
![Page 13: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/13.jpg)
Normation – CC-BY-SAnormation.com
Audit the rules
![Page 14: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/14.jpg)
Normation – CC-BY-SAnormation.com
Audit the rules
![Page 15: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/15.jpg)
Normation – CC-BY-SAnormation.com
Non compliance
For every non-compliance listed
● Is it expected?
● Should it be remediated?
● Yes, and it's straightforward – switch from Audit mode to Enforce
● May need to split in two Rules: one in Audit mode, one in
Enforce, and switch nodes from one Rule to another during
each maintenance windows
● Yes, but need to be done manually – correct manually on the
node during maintenance windows
● Yes, but risky: assess the expected risk/benefits
● Maybe some exceptions will be implemented
![Page 16: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/16.jpg)
Normation – CC-BY-SAnormation.com
Validation
Validate your rules
● Spawn new systems (at least one per group)
● Check they become fully functional
● Detect rogue “live” parameters (like sysctl modified by hand)
● Ensure repeatability
![Page 17: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/17.jpg)
Normation – CC-BY-SAnormation.com
Time estimate
Rough time estimates
● Identify systems: several hours per team members
● You may need to interview all teams members.
● Hidden benefit: explain to all of them the goal, and boost
acceptation of configuration management
● Agents install: 10 minutes to 1 hour per batch
● Deploy repository for each site, remote install, get inventories
● Role validation: minutes to days per role
● Review procedures, check what is on systems
● Logical system grouping:
● Depends on number of roles, exceptions, generations.
![Page 18: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/18.jpg)
Normation – CC-BY-SAnormation.com
Time estimate
Rough time estimates
● Create spreadsheet: 4h to several days
● Depends on your skill, and amount of data to store there
● Rule creation:
● Couple of minutes to hours depending on complexity
● Measure compliance: 5 minutes – hours per rule
● Check what is not compliant, and document it
● Remediation plan:
● Very fast to “rewrite a procedure from scratch”
● Expect surprise
● Discover forgotten systems
● Discover major compliance issues
![Page 19: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/19.jpg)
Normation – CC-BY-SAnormation.com
Time estimate
There will be delays
● Deal with maintenance windows
● Deal with freeze (August in France, December)
● Decisions on non-compliance remediation are not always easy
● Need to involve stakeholders
![Page 20: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/20.jpg)
Normation – CC-BY-SAnormation.com
What are the benefits?
Standard configuration management benefits
● Awarness on the IT
● Improved reliability
● Improved productivity
![Page 21: Automating the manual - feedback on including existing systems in configuration management](https://reader031.fdocuments.net/reader031/viewer/2022022123/58a2ff8d1a28abea508b492f/html5/thumbnails/21.jpg)
Normation – CC-BY-SAnormation.com
What are the benefits?
More specific to this case
● Less outages due to stale errors
● Less outages thanks to uniformity
● Improved RTO
● Reduced surface of vulnerability
● A base to evolve your IT