multiverse docs

This commit is contained in:
Leif Johansson 2013-10-15 10:45:22 +02:00
parent 3d1b26e762
commit 70c7828b0b
2 changed files with 431 additions and 0 deletions

10
docs/Makefile Normal file
View file

@ -0,0 +1,10 @@
.PHONY: all
DOCS := $(wildcard *.mkd)
all: $(DOCS:.mkd=.pdf)
%.pdf: %.mkd
pandoc -o $@ $<
clean:
rm -f *.html *.pdf *~

421
docs/cosmos-puppet-ops.mkd Normal file
View file

@ -0,0 +1,421 @@
% System Operations using Cosmos & Puppet
% Leif Johansson / SUNET / 2013 / v0.0.3
Introduction
============
This document describes how to setup and run systems and service operations for a small to midsized
systems collection while maintaining scalability, security and auditability for changes.
The process described below is based on opensource components and assumes a Linux-based hosting
infrastructure. These limitations could easily be removed though. This document describes the
multiverse template for combining cosmos and puppet.
Design Requirements
===================
The cosmos system has been used to operate security-critical infrastructure for a few years before
it was combined with puppet into the multiverse template.
Several of the design requirements below are fulfilled by comos alone, while some (eg consistency)
are easier to achieve using puppet than with cosmos alone.
Consistency
-----------
Changes should be applied atomically across multiple system components on multiple
physical and logical hosts (aka system state). The change mechanism should permit verification of state
consistency and all modifications should be idempotents, i.e the same operation
performend twice on the same system state should not in itself cause a problem.
Auditability
------------
It must be possible to review changes in advance of applying them to system state. It
must also be possible to trace changes that have already been applied to privileged
system operators.
Authenticity
------------
All changes must be authenticated by private keys in the personal possession of privileged
system operators before applied to system state aswell as at any point in the future.
Simplicity
----------
The system must be simple and must not rely on external services to be online to maintain
state except when new state is being requested and applied. When new state is being requested
external dependencies must be kept to a minimum.
Architecture
============
The basic architecture of puppet is to use a VCS (git) to manage and distribute changes to a
staging area on each managed host. At the staging area the changes are authenticated (using
tag signatures) and if valid, distributed to the host using local rsync. Before and after
hooks (using run-parts) are used to provide programmatic hooks.
Administrative Scope
--------------------
The repository constitutes the administrative domain of a multiverse setup: each host is
connected to (i.e runs cosmos off of) a single GIT repository and derives trust from signed
tags on that repository. A host cannot belong to more than 1 administratve domain but each
administrative domains can host multiple DNS domains - all hosts in a single repository
doesn't need to be in the same zone.
The role of Puppet
------------------
In the multiverse template, the cosmos system is used to authenticate and distribute changes
and prepare the system state for running puppet. Puppet is used to apply idempotent changes
to the system state using "puppet apply".
~~~~~ {.ditaa .no-separation}
+------------+ +------+
| cosmo repo |---->| host |-----+
+------------+ +------+ |
^ |
| |
(change) (manifests)
| |
+--------+ |
| puppet |<---+
+--------+
~~~~~
Note that there is no puppet master in this setup so collective resources cannot be used
in multiverse. Instead 'fabric' is used to provide a simple way to loop over subsets of
the hosts in a managed domain.
Private data (eg system credentials, application passwords, or private keys) are encrypted
to a master host PGP key before stored in the cosmos repo.
System state can be tied to classes used to classify systems into roles (eg "database server"
or "webserver"). System classes can be assigned by regular expressions on the fqdn (eg all
hosts named db-\* is assigned to the "database server" class) using a custom puppet ENC.
The system classes are also made available to 'fabric' in a custom fabfile. Fabric (or fab)
is a simple frontend to ssh that allows an operator to run commands on multiple remote
hosts at once.
Trust
-----
All data in the system is maintained in a cosmos GIT repository. A change is
requested by signing a tag in the repository with a system-wide well-known name-prefix.
The tag name typically includes the date and a counter to make it unique.
The signature on the tag is authenticated against a set of trusted keys maintained in the
repository itself - so that one trusted system operator must be present to authenticate addition or
removal of another trusted system operator. This authentication of tags is done in addition
to authenticating access to the GIT repository when the changes are pushed. Trust is typically
bootstrapped when a repository is first established. This model also serves to provide auditability
of all changes for as long as repository history is retained.
Access to hosts is done through ssh with ssh-key access. The ssh keys are typically maintained
using either puppet or cosmos natively.
Consistency
-----------
As a master-less architecture, multiverse relies on _eventual consistency_: changes will eventually
be applied to all hosts. In such a model it becomes very imporant that changes are idempotent, so
that applying a change multiple times (in an effort to get dependent changes through) won't cause
an issue. Using native cosmos, such changes are achived using timestamp-files that control entry
into code-blocks:
```
stamp="${COSMOS\_BASE}/stamps/foo-v04.stamp"
if ! test -f $stamp; then
# do something here
touch $stamp
fi
```
This pattern is mostly replaced in multiverse by using puppet manifests and modules that
are inherently indempotent but it can nevertheless be a useful addition to the toolchain.
Implementation
==============
Implementation is based on two major components: cosmos and puppet. The cosmos system was
created by Simon Josefsson and Fredrik Tulin as a simple and secure way to distribute files
and run pre- and post-processors (using run-parts). This allows for a simple, yet complete
mechanism for updating system state.
The second component is puppet which is run in masterless (aka puppet apply) mode on files
distributed and authenticated using cosmos. Puppet is a widely deployed way to describe
system state using a set of idempotent operations. In theory, anything that can de done
using puppet can be done using cosmos post-processors but puppet allows for greater
abstraction which greatly increases readability.
The combination of puppet and cosmos is maintained on github in the 'leifj/multiverse'
project.
Operations
==========
Setting up a new administrative domain
--------------------------------------
The simplest way is to clone the multiverse repository. First install 'git'. On ubuntu/debian
this is in the 'git-core' package:
```
# apt-get install git-core
```
Also install 'fabric' - a very useful too for multiple-host-ssh that is integrated into
multiverse. Fabric provides the 'fab' command which will be introduced later on.
```
# apt-get install fabric
```
These two tools (git & fabric) are only needed on mashines where system operators work.
Next clone git://github.com/leifj/multiverse.git - this will form the basis of your cosmos+puppet
repository:
```
# git clone git://github.com/leifj/multiverse.git myproj-cosmos
# cd myproj-cosmos
```
Next rename the upstream from github - you will want to keep this around to get new
features as the multiverse codebase evolves.
```
# git remote rename origin multiverse
```
Now add a new remote pointing to the git repo where you are going to be pushing
changes for your administrative domain. Also add a read-only version of this remote
as 'ro'. The read-only remote is used by multiverse scripts during host bootstrap.
```
# git remote add origin git@yourhost:myproj-cosmos.git
# git remote add ro git://yourhost/myproj-cosmos.git
```
Note that you can maintain your repo on just about any git hosting platform, including
github, gitorius or your own local setup as long as it supports read-only "git://" access
to your repository. It is important that the remotes called 'origin' and 'ro' refer to
your repository and not to anything else (like a private version of multiverse).
Now add at least one key to 'global/overlay/etc/cosmos/keys/' in a file with a .pub extension
(eg 'operator.pub') - the name of the file doesn't matter other than the extension.
```
# cp mykey.pub global/overlay/etc/cosmos/keys/
# git add global/overlay/etc/cosmos/keys/mykey.pub
# git commit -m "initial trust" global/overlay/etc/cosmos/keys/mykey.pub
```
At this point you should create and sign your first tag:
```
# ./bump-tag
```
Make sure that you are using the key whose public key you just added to the repository! You
can now start adding hosts.
Adding a host
-------------
Bootstrapping a host is done using the 'addhost' command:
```
# ./addhost [-b] $fqdn
```
The -b flag causes addhost to attempt to bootstrap cosmos on the remote host using
ssh as root. This requires that root key trust be established in advance. The addhost
command creates and commits the necessary changes to the repository to add a host named
$fqdn. Only fully qualified hostnames should ever be used in cosmos+puppet.
The boostrap process will create a cron-job on $fqdn that runs
```
# cosmos update && cosmos apply
```
every 15 minutes. This should be a good starting point for your domain. Now you may
want to add some 'naming rules'.
Defining naming rules
---------------------
A naming rule is a mapping from a name to a set of puppet classes. These are defined in
the file 'global/overlay/etc/puppet/cosmos-rules.yaml' (linked to the toplevel directory
in multiverse). This is a YAML format file whose keys are regular expressions and whose
values are lists of puppet class definitions. Here is an example that assigns all hosts
with names on the form ns\<number\>.example.com to the 'nameserver' class.
```
'ns[0-9]?.example.com$':
nameserver:
```
Note that the value is a hash with an empty value ('namserver:') and not just a string
value.
Since regular expressions can also match on whole strings so the following is also
valid:
```
smtp.example.com:
mailserver:
relay: smtp.upstream.example.com
```
In this example the mailserver puppet class is given the relay argument (cf puppet
documentation).
Fabric integration
------------------
Given the above example the following command would reload all nameservers:
```
# fab --roles=nameservers -- rndc reload
```
Creating a change-request
-------------------------
After performing whatever changes you want to the reqpository, commit the changes as usual
and then sign an appropriately formatted tag. This last operation is wrapped in the 'bump-tag' command:
```
# git commit -m "some changes" global/overlay/somethig or/other/files
# ./bump-tag
```
The bump-tag command will ask for confirmation before signing and will rely on the git and
gpg commands to create, sign and push the correct tag.
Puppet modules
--------------
Puppet modules can be maintained using a designated cosmos pre-task that reads a file
global/overlay/etc/puppet/cosmos-modules.conf. This file is a simple text-format file
with 3 columns:
```
#
# name source (puppetlabs fq name or git url) upgrade (yes/no)
#
concat puppetlabs/concat no
stdlib puppetlabs/stdlib no
cosmos git://github.com/leifj/puppet-cosmos.git yes
ufw git://github.com/fredrikt/puppet-module-ufw.git yes
apt puppetlabs/apt no
vcsrepo puppetlabs/vcsrepo no
xinetd puppetlabs/xinetd no
#golang elithrar/golang yes
python git://github.com/fredrikt/puppet-python.git yes
hiera-gpg git://github.com/fredrikt/hiera-gpg.git no
```
This is an example file - the first field is the name of the module, the second is
the source: either a puppetlabs path or a git URL. The final field is 'yes' if the
module should be automatically updated or 'no' if it should only be installed. As usual
lines beginning with '#' are silently ignored.
This file is processed in a cosmos pre-hook so the modules should be available for
use in the puppet post-hook. By default the file contains several lines that are
commented out so review this file as you start a new multiverse setup.
In order to add a new module, the best way is to commit a change to this file and
tag this change, allowing time for the module to get installed everywhere before
adding a change that relies on this module.
HOWTO and Common Tasks
======================
Adding a new operator
---------------------
Add the ascii-armoured key in a file in `global/overlay/etc/cosmos/keys` with a `.pub` extension
```
# git add global/overlay/etc/cosmos/keys/thenewoperator.pub
# git commit -m "the new operator" \
global/overlay/etc/cosmos/keys/thenewoperator.pub
# ./bump-tag
```
Removing an operator
--------------------
Identitfy the public key file in `global/overlay/etc/cosmos/keys`
```
# git rm global/overlay/etc/cosmos/keys/X.pub
# git commit -m "remove operator X" \
global/overlay/etc/cosmos/keys/X.pub
# ./bump-tag
```
Changing administrative domain for a host
-----------------------------------------
In the `$new` repository:
```
# ./addhost -b $hostname
# fab -H $hostname chrepo repository:git://other/repo.git
```
In the `$old` repository:
```
# rsync -avz $hostname/ $new/$hostname/
```
In the `$new` repository:
```
# git add $hostname/
# git commit -m "transfer from $old" $hostname
# ./bump-tag
```
In the `$old` repository:
```
# git rm -rf $hostname
# git commit -m "remove $hostname"
# ./bump-tag
```
Reviewing all changes
---------------------
Running a command on multiple hosts
-----------------------------------
On a single host:
```
# fab -H $hostname -- command -a one -b another -c
```
On multiple hosts based on category:
```
# fab --roles=webserver -- ls /tmp
```
On all hosts:
```
# fab -- reboot # danger Will Robinsson!
```