ncorrare.github.io Just another blog. / Building applications that scale through proper scheduling <p><img src="/assets/media/timeshare.jpeg" alt="Joys of timeshare" title="Joys of timeshare" style="float:right; padding:16px" /> As we transtion to building distributed systems, we need to shed some of the anti-patterns of web application development that we have applied for ages. The ease of compute access made most of us think that we can process every job interactively, and when things slow down, we just scale by virtue of adding instances. Now when that wasn’t the case, and scaling compute actually meant that a real estate operation was required (AKA “get more room to get more mainframes”) back in the day, we actually had process differentiation. <a href="https://en.wikipedia.org/wiki/Batch_processing">Batch jobs</a> would run on specific time windows when CPU time was available.</p> <p>Now traditionally, if your application is super complex, you have most likely been through this. You are probably using a message queue or ESB. This post might not be for you. Now if you are still just piling up code in Rails or Node, there are things that you can probably offload as batch (or in my case, parameterized dispatch, but I’ll explain that later). So here I’ve got this <a href="http://library.stn.corrarello.net">library</a> app that I use at home to keep track of my books, and adding a book is, let’s say, a lot of work.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"> <span class="k">def</span> <span class="nf">create</span><span class="p">(</span><span class="n">isbn</span><span class="p">)</span> <span class="c1">#Check if we got an ISBN</span> <span class="k">unless</span> <span class="n">isbn</span><span class="p">.</span><span class="nf">nil?</span> <span class="c1">#Check if the ISBN exists already</span> <span class="k">if</span> <span class="nb">self</span><span class="p">.</span><span class="nf">by_isbn</span><span class="p">(</span><span class="n">isbn</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="kp">false</span> <span class="c1">#Try to retrieve it from openlibrary or fail gracefully</span> <span class="k">begin</span> <span class="n">uri</span> <span class="o">=</span> <span class="no">URI</span><span class="p">(</span><span class="s2">"https://openlibrary.org/api/books?bibkeys=ISBN:</span><span class="si">#{</span><span class="n">isbn</span><span class="si">}</span><span class="s2">&amp;jscmd=data&amp;format=json"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">uri</span><span class="p">)</span> <span class="k">rescue</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"Cannot connect to OpenLibrary API"</span><span class="p">]</span> <span class="k">end</span> <span class="k">if</span> <span class="n">response</span> <span class="o">!=</span> <span class="kp">nil</span> <span class="n">key</span><span class="p">,</span> <span class="n">data</span> <span class="o">=</span> <span class="no">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">response</span><span class="p">).</span><span class="nf">first</span> <span class="c1">#Sanitize so much data</span> <span class="k">unless</span> <span class="n">data</span><span class="p">.</span><span class="nf">nil?</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"authors"</span><span class="p">].</span><span class="nf">nil?</span> <span class="n">authors</span> <span class="o">=</span> <span class="s1">'Unknown'</span> <span class="k">else</span> <span class="n">authors</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"authors"</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="s2">"name"</span><span class="p">].</span><span class="nf">to_s</span> <span class="k">end</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"identifiers"</span><span class="p">].</span><span class="nf">key?</span> <span class="s1">'isbn_10'</span> <span class="n">isbnadd</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"identifiers"</span><span class="p">][</span><span class="s2">"isbn_10"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">else</span> <span class="n">isbnadd</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"identifiers"</span><span class="p">][</span><span class="s2">"isbn_13"</span><span class="p">][</span><span class="mi">0</span><span class="p">]</span> <span class="k">end</span> <span class="k">if</span> <span class="n">data</span><span class="p">.</span><span class="nf">key?</span> <span class="s1">'cover'</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"cover"</span><span class="p">].</span><span class="nf">key?</span> <span class="s1">'large'</span> <span class="n">image</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"cover"</span><span class="p">][</span><span class="s2">"large"</span><span class="p">].</span><span class="nf">to_s</span> <span class="k">else</span> <span class="k">if</span> <span class="n">data</span><span class="p">[</span><span class="s2">"cover"</span><span class="p">].</span><span class="nf">key?</span> <span class="s1">'small'</span> <span class="n">image</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"cover"</span><span class="p">][</span><span class="s2">"small"</span><span class="p">].</span><span class="nf">to_s</span> <span class="k">else</span> <span class="n">image</span> <span class="o">=</span> <span class="s2">"http://104.130.11.24/images/noimage.jpg"</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">if</span> <span class="n">data</span><span class="p">.</span><span class="nf">key?</span> <span class="s1">'subtitle'</span> <span class="n">subtitle</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="s2">"subtitle"</span><span class="p">].</span><span class="nf">to_s</span> <span class="k">else</span> <span class="n">subtitle</span> <span class="o">=</span> <span class="s1">'-'</span> <span class="k">end</span> <span class="c1">#Encrypt everything as I'm the tinfoil kind of guy</span> <span class="n">book</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"isbn"</span> <span class="o">=&gt;</span> <span class="n">isbnadd</span><span class="p">,</span> <span class="s2">"title"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="s2">"title"</span><span class="p">].</span><span class="nf">to_s</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"thumbnail_url"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">image</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"subtitle"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">subtitle</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"url"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="s2">"url"</span><span class="p">].</span><span class="nf">to_s</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"publish_date"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="s2">"publish_date"</span><span class="p">].</span><span class="nf">to_s</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"author"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">authors</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="s2">"publishers"</span> <span class="o">=&gt;</span> <span class="vi">@vault</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="s2">"publishers"</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="s2">"name"</span><span class="p">].</span><span class="nf">to_s</span><span class="p">,</span> <span class="s1">'library'</span><span class="p">,</span> <span class="s1">'morbury'</span><span class="p">),</span> <span class="p">}</span> <span class="c1">#Store in Consul</span> <span class="k">if</span> <span class="no">Diplomat</span><span class="o">::</span><span class="no">Kv</span><span class="p">.</span><span class="nf">put</span><span class="p">(</span><span class="s2">"library/</span><span class="si">#{</span><span class="n">isbn</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="n">book</span><span class="p">.</span><span class="nf">to_json</span><span class="p">,</span> <span class="p">{</span> <span class="ss">http_addr: </span><span class="no">ENV</span><span class="p">[</span><span class="s1">'CONSUL_HTTP_ADDR'</span><span class="p">],</span> <span class="ss">dc: </span><span class="s2">"stn"</span><span class="p">,</span> <span class="ss">token: </span><span class="vi">@vault</span><span class="p">.</span><span class="nf">getConsulToken</span><span class="p">})</span> <span class="k">return</span> <span class="p">[</span><span class="kp">true</span><span class="p">,</span> <span class="n">isbn</span><span class="p">]</span> <span class="k">else</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"Error storing book with ISBN </span><span class="si">#{</span><span class="n">isbn</span><span class="si">}</span><span class="s2">"</span><span class="p">]</span> <span class="k">end</span> <span class="k">else</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"Book not found in the OpenLibrary API"</span><span class="p">]</span> <span class="k">end</span> <span class="k">else</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"Book not found in the OpenLibrary API"</span><span class="p">]</span> <span class="k">end</span> <span class="k">else</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"ISBN already exist"</span><span class="p">]</span> <span class="k">end</span> <span class="k">else</span> <span class="k">return</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"ISBN cannot be empty"</span><span class="p">]</span> <span class="k">end</span> <span class="k">end</span> </code></pre></figure> <p>Now from a user perspective, sure I’m going to see the spinning wheel for a while, but from a compute perspective, it is even worse as I’m wasting a thread that could be used for interactive traffic. Then again I could spawn a thread in the system, but the Linux scheduler has a somewhat “local” view of the world as it would be expected. So how about a scheduler that has a more global view? Weren’t you all using Kubernetes? Well not me, clearly, but then again this pattern would work with any scheduler.</p> <p>Nomad has this functionality of dispatching a previously defined job, with an added parameter. So if I wanted to do a “distributed” ping</p> <figure class="highlight"><pre><code class="language-hcl" data-lang="hcl">job "ping" { region = "uk" type = "batch" datacenters = ["dc1"] parameterized { payload = "forbidden" meta_required = ["ADDRESS"] } group "ping" { count = 1 task "ping" { driver = "exec" config { command = "ping" args = ["-c10", "${NOMAD_META_ADDRESS}"] } resources { cpu = 100 # Mhz memory = 128 # MB network { mbits = 10 } } } } }</code></pre></figure> <p>and I can dispatch it using the CLI like so:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>nomad job dispatch <span class="nt">-meta</span> <span class="nv">ADDRESS</span><span class="o">=</span>192.168.50.1 ping Dispatched Job ID <span class="o">=</span> ping/dispatch-1563272947-f0762778 Evaluation ID <span class="o">=</span> 3837a46e <span class="o">==&gt;</span> Monitoring evaluation <span class="s2">"3837a46e"</span> Evaluation triggered by job <span class="s2">"ping/dispatch-1563272947-f0762778"</span> Allocation <span class="s2">"5a261c73"</span> created: node <span class="s2">"6c2b39dc"</span>, group <span class="s2">"ping"</span> Evaluation status changed: <span class="s2">"pending"</span> -&gt; <span class="s2">"complete"</span> <span class="o">==&gt;</span> Evaluation <span class="s2">"3837a46e"</span> finished with status <span class="s2">"complete"</span> <span class="err">$</span></code></pre></figure> <p>And the result would be something like:</p> <p><img src="/assets/media/dispatchping.gif" alt="Scalable pings" /></p> <p>In my case… I’d spawn a Nomad Job upon receiving an API Call:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">post</span> <span class="s1">'/v1/books/:isbn'</span> <span class="k">do</span> <span class="n">content_type</span> <span class="ss">:json</span> <span class="n">key</span> <span class="o">=</span> <span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span> <span class="k">if</span> <span class="n">key</span> <span class="o">==</span> <span class="vc">@@vault</span><span class="p">.</span><span class="nf">getAPIKey</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="ss">:Meta</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="ss">:ISBN</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="p">[</span><span class="s1">'isbn'</span><span class="p">]</span> <span class="p">}</span> <span class="p">}.</span><span class="nf">to_json</span> <span class="k">if</span> <span class="vc">@@books</span><span class="p">.</span><span class="nf">by_isbn</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="s1">'isbn'</span><span class="p">])[</span><span class="mi">0</span><span class="p">].</span><span class="nf">to_s</span> <span class="o">==</span> <span class="s1">'false'</span> <span class="n">dispatchkey</span> <span class="o">=</span> <span class="vc">@@vault</span><span class="p">.</span><span class="nf">getNomadDispatchToken</span> <span class="k">begin</span> <span class="n">uri</span> <span class="o">=</span> <span class="no">URI</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="s2">"http://nomad.service.consul:4646/v1/job/addbook/dispatch"</span><span class="p">)</span> <span class="n">header</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'X-Nomad-Token'</span><span class="p">:</span> <span class="n">dispatchkey</span><span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span> <span class="s2">"Making request to Nomad to add Book </span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'isbn'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span> <span class="n">http</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">uri</span><span class="p">.</span><span class="nf">host</span><span class="p">,</span> <span class="n">uri</span><span class="p">.</span><span class="nf">port</span><span class="p">)</span> <span class="n">request</span> <span class="o">=</span> <span class="no">Net</span><span class="o">::</span><span class="no">HTTP</span><span class="o">::</span><span class="no">Post</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">uri</span><span class="p">.</span><span class="nf">request_uri</span><span class="p">,</span> <span class="n">header</span><span class="p">)</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span> <span class="n">payload</span> <span class="n">request</span><span class="p">.</span><span class="nf">body</span> <span class="o">=</span> <span class="n">payload</span> <span class="n">response</span> <span class="o">=</span> <span class="n">http</span><span class="p">.</span><span class="nf">request</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">success</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">code</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span> <span class="s2">"Nomad's response is </span><span class="si">#{</span><span class="n">success</span><span class="si">}</span><span class="s2">"</span> <span class="k">rescue</span> <span class="n">message</span> <span class="o">=</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s2">"Cannot connect to Nomad"</span><span class="p">].</span><span class="nf">to_json</span> <span class="n">status</span> <span class="mi">500</span><span class="p">,</span> <span class="n">message</span> <span class="k">end</span> <span class="k">if</span> <span class="n">success</span><span class="p">.</span><span class="nf">to_s</span> <span class="o">==</span> <span class="s1">'200'</span> <span class="n">jobstatus</span> <span class="o">=</span> <span class="no">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">body</span><span class="p">)</span> <span class="n">readkey</span> <span class="o">=</span> <span class="vc">@@vault</span><span class="p">.</span><span class="nf">getConsulReadToken</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span> <span class="s2">"Job to add isbn </span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'isbn'</span><span class="p">]</span><span class="si">}</span><span class="s2"> dispatched succesfully"</span> <span class="n">output</span> <span class="o">=</span> <span class="p">[</span><span class="kp">true</span><span class="p">,</span> <span class="n">readkey</span><span class="p">,</span> <span class="n">jobstatus</span><span class="p">].</span><span class="nf">to_json</span> <span class="n">status</span> <span class="mi">200</span> <span class="n">output</span> <span class="k">else</span> <span class="n">halt</span> <span class="mi">500</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="nf">body</span> <span class="k">end</span> <span class="k">else</span> <span class="n">halt</span> <span class="mi">500</span><span class="p">,</span> <span class="s2">"Book already exists"</span><span class="p">.</span><span class="nf">to_json</span> <span class="k">end</span> <span class="k">else</span> <span class="n">halt</span> <span class="mi">401</span><span class="p">,</span> <span class="s2">"Unauthorized"</span><span class="p">.</span><span class="nf">to_json</span> <span class="k">end</span> <span class="k">end</span></code></pre></figure> <p>As you can see there I’m getting a Consul Token that I’m passing to the UI (it lasts for a minute) and I’m getting another Nomad token from Vault (which expires in 5 minutes) to do the request.</p> <p>Final result looks fantastic</p> <p><img src="/assets/media/librarydispatch.gif" alt="Scalable book adding" /></p> <hr /> <p>About the author: Nicolas Corrarello is the Regional Director for Solutions Engineering @ HashiCorp based out of London.</p> Wed, 10 Jul 2019 00:00:00 +0000 /general/nomad/microservices/2019/07/10/Building-apps-scale-scheduling.html /general/nomad/microservices/2019/07/10/Building-apps-scale-scheduling.html A table of application development for the hashistack. <p>And now for a short update, here’s my HashiConf presentation for this year.</p> <p><a href="https://www.youtube.com/watch?v=4n0nncNY3wk"><img src="https://img.youtube.com/vi/4n0nncNY3wk/0.jpg" alt="HashiConf 2018: A tale of application development for the HashiCorp Stack" /></a></p> Sun, 16 Dec 2018 00:00:00 +0000 /general/vault/consul/nomad/video/2018/12/16/A-tale-of-app.html /general/vault/consul/nomad/video/2018/12/16/A-tale-of-app.html Understanding the performance overhead of encryption and it's upside <p>Every modern application has a requirement for encrypting certain amounts of data. The traditional approach has been either relying on some sort of transparent encryption (using something like encryption at rest capabilities in the storage, or column/field level encryption in database systems). While this clearly minimizes the requirement for encryption within the application, it doesn’t secure the data from attacks like a SQL Injection, or someone just dumping data since their account had excessive privileges, or though exposure of backups.</p> <p>In comes the requirement of doing encryption at the application level, with of course the expected complexity of doing a right implementation at the code level (choosing the right cyphers, encryption keys, securing the objects), and securing and maintaining the actual encryption keys, which more often than not, end in version control, or in some kind of object store subject to the usual issues.</p> <p>Traditionally, there has been different approaches to secure encryption keys: An HSM could be used, with considerable performance penalty. An external encryption system, like Amazon’s KMS, or Azure Key Vault, or Google KMS’s, where the third party holds your encryption key. Ultimately, HashiCorp’s Vault offers it’s own Transit backend, which allows (depending on policy) to offload encryption/decryption/hmac workflows, as well as signing and verification, abstracting the complexity around maintaining encryption keys, and allowing users and organizations to retain control over them inside Vault’s cryptographic barrier. As a brief summary of Vault’s capabilities, when it comes to encryption as a service, we can just refer to Vault’s documentation.</p> <p>The primary use case for transit is to encrypt data from applications while still storing that encrypted data in some primary data store. This relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault. Operators of Vault generally include the security team at an organization, which means they can ensure that data is encrypted/decrypted properly. Additionally, since encrypt/decrypt operations must enter the audit log, any decryption event is recorded.</p> <p>The objective of this article, however, is not to explain the capabilities of Vault, but rather to do an analysis of what’s the overhead of using Vault to encrypt a single field in the application.</p> <p>For that purpose, a MySQL data source is used, using the traditional world database (with about 4000 rows), and the test being run will effectively launch a single thread per entry, that will encrypt a field of such entry, and then persist it to Amazon S3.</p> <p>This test was run on an m4.large instance, in Amazon, running a Vault Server, with a Consul backend, a MySQL server, and the script taking the metrics, all on the same system. It is inspired on a traditional Big Data use case, where information needs to be persisted to some sort of object store for later processing. The commented Python function being executed in each thread is as follows:</p> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">makeJson</span><span class="p">(</span><span class="n">vault</span><span class="p">,</span> <span class="n">s3</span><span class="p">,</span> <span class="n">s3_bucket</span><span class="p">,</span> <span class="n">ID</span><span class="p">,</span> <span class="n">Name</span><span class="p">,</span> <span class="n">CountryCode</span><span class="p">,</span> <span class="n">District</span><span class="p">,</span> <span class="n">Population</span><span class="p">):</span> <span class="c"># Take the starting time for the whole function</span> <span class="n">tot_time</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="c"># Take the starting time for encryption</span> <span class="n">enc_time</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="c"># Base64 a single Value</span> <span class="n">Nameb64</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="n">Name</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s">'utf-8'</span><span class="p">))</span> <span class="c"># Encrypt it through Vault</span> <span class="n">NameEnc</span> <span class="o">=</span> <span class="n">vault</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="s">'transit/encrypt/world-transit'</span><span class="p">,</span> <span class="n">plaintext</span><span class="o">=</span><span class="nb">bytes</span><span class="p">(</span><span class="n">Nameb64</span><span class="p">),</span> <span class="n">context</span><span class="o">=</span><span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="s">'world-transit'</span><span class="p">))</span> <span class="c"># Calculate how long it took to encrypt</span> <span class="n">eetime</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">enc_time</span> <span class="c"># Create the object to persist and convert it to JSON</span> <span class="n">Cityobj</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"ID"</span><span class="p">:</span> <span class="n">ID</span><span class="p">,</span> <span class="s">"Name"</span><span class="p">:</span> <span class="n">NameEnc</span><span class="p">[</span><span class="s">'data'</span><span class="p">][</span><span class="s">'ciphertext'</span><span class="p">],</span> <span class="s">"CountryCode"</span><span class="p">:</span> <span class="n">CountryCode</span><span class="p">,</span> <span class="s">"District"</span><span class="p">:</span> <span class="n">District</span><span class="p">,</span> <span class="s">"Population"</span><span class="p">:</span> <span class="n">Population</span> <span class="p">}</span> <span class="n">City</span> <span class="o">=</span> <span class="n">json</span><span class="o">.</span><span class="n">dumps</span><span class="p">(</span><span class="n">Cityobj</span><span class="p">)</span> <span class="n">filename</span> <span class="o">=</span> <span class="s">"</span><span class="si">%</span><span class="s">s.json"</span> <span class="o">%</span> <span class="n">ID</span> <span class="c"># Take the starting time for persisting it into S3, for comparison</span> <span class="n">store_time</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="c"># Persist the object</span> <span class="n">s3</span><span class="o">.</span><span class="n">put_object</span><span class="p">(</span><span class="n">Body</span><span class="o">=</span><span class="n">City</span><span class="p">,</span> <span class="n">Bucket</span><span class="o">=</span><span class="n">s3_bucket</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">filename</span><span class="p">)</span> <span class="c"># Calculate how long it took to store it</span> <span class="n">sstime</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">store_time</span> <span class="c"># Calculate how long it took to run the whole function</span> <span class="n">tttime</span> <span class="o">=</span> <span class="n">time</span><span class="o">.</span><span class="n">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">tot_time</span> <span class="k">print</span><span class="p">(</span><span class="s">"</span><span class="si">%</span><span class="s">i,</span><span class="si">%</span><span class="s">s,</span><span class="si">%</span><span class="s">s,</span><span class="si">%</span><span class="s">s</span><span class="se">\n</span><span class="s">"</span> <span class="o">%</span> <span class="p">(</span><span class="nb">int</span><span class="p">(</span><span class="n">ID</span><span class="p">),</span> <span class="nb">str</span><span class="p">(</span><span class="n">sstime</span><span class="p">),</span> <span class="nb">str</span><span class="p">(</span><span class="n">eetime</span><span class="p">),</span> <span class="nb">str</span><span class="p">(</span><span class="n">tttime</span><span class="p">)))</span> </code></pre></div></div> <p>This would render a single line of a CSV, per thread, that later was aggregated in order to analyze the data. The average, minimum and median values are as follows: <img src="/assets/media/graph1.png" alt="Avg/Min/Med" title="average, minimum and median values" /></p> <p>As for concurrency, this is running 4 thousand threads that are being instantiated on a for loop. According to this limited dataset (about 4000 entries) we’re looking at a 5% ~ 10% overhead, in regards to execution time. <img src="/assets/media/graph2.png" alt="Data Points" title="data points" /></p> <p>It’s worth noting that during the tests Vault barely break a sweat, Top reported it was using 15% CPU (against 140% that Python was using). This was purposely done in a limited scale, as it wasn’t our intention to test how far could Vault go. Vault Enterprise supports Performance replication that would allow it to scale to fit the needs of even the most demanding applications. As for the development effort, the only complexity added would be adding two statements to encrypt/decrypt the data as the Python example shows. It’s worth noting that Vault supports convergent encryption, causing same encrypted values to return the same string, in case someone would require to look for indexes in WHERE clauses.</p> <p>Using this pattern, along with the well known secret management features in Vault, would help mitigate against the Top 10 database attacks as documented by the British Chartered Institute for IT:</p> <ol> <li> <p>Excessive privileges: Using transit, in combination of Vault’s Database Secret Backend, an organization can ensure that each user or application get’s the right level of access to the data, which in its own can be encrypted, requiring further level of privilege to decode it.</p> </li> <li> <p>Privilege abuse: Using transit, the data obtained even with the right privileges is encrypted, and potentially requiring the right “context” to decrypt it, even if the user has access to.</p> </li> <li> <p>Unauthorized privilege elevation: Much like in the cases above, Vault can determine what is the right access a user gets to a database, effectively terminating the “Gold credentials” pattern and encrypting the underlying data from operator access.</p> </li> <li> <p>Platform vulnerabilities: Even if the platform is vulnerable, the data would be secure.</p> </li> <li> <p>SQL injection: As data is not transparently encrypted, a vulnerable application would mostly dump obfuscated data, that can be re-wrapped upon detection of a vulnerability to an updated encryption key.</p> </li> <li> <p>Weak audit: Vault audits encryption and decryption operations, effectively creating an audit trail which would allow to pinpoint exactly who has access to the data.</p> </li> <li> <p>Denial of service: Through Sentinel, our policy as code engine, Vault can evaluate traffic patterns through rules and deny access accordingly.</p> </li> <li> <p>Database protocol vulnerabilities: As before, even if the data is dumped, it wouldn’t be transparently decrypted.</p> </li> <li> <p>Weak authentication: Using Vault’s Database secret backend, would generate short lived credentials which can be revoked centrally, and have the right level of complexity.</p> </li> <li> <p>Exposure of backup data: Backups would be automatically encrypted, just like the underlying data.</p> </li> </ol> <hr /> <p>About the author: Nicolas Corrarello is the Regional Director for Solutions Engineering @ HashiCorp based out of London.</p> Mon, 05 Mar 2018 00:00:00 +0000 /general/vault/security/2018/03/05/Understanding-the-encryption-overhead.html /general/vault/security/2018/03/05/Understanding-the-encryption-overhead.html Reading Vault Secrets in your Jenkins pipeline <p>The Jenkins credential store in most enterprises is becoming a potential attack vector. It’s generally filled with long lived credentials, sometimes even to production systems.</p> <p>In comes Hashicorp’s Vault, a Secret Management solution that enables the secure store of secrets, and dynamic generation of credentials for your job. Looks like a great match right? Look at the demo, certainly looks promising (specially with Jenkins beautiful new BlueOcean UI):</p> <p><img src="/assets/media/0OCENniTf9.gif" alt="Jenkins Demo" title="Jenkins Pipeline consuming secrets from Vault" /></p> <p>Interested? Let’s dive into it:</p> <h3 id="what-is-hashicorp-vault">What is Hashicorp Vault?</h3> <p>Quite simply, is a tool for managing secrets. What’s really innovative about Vault is that it has methods for establishing both user and machine identity (through Auth Backends), so secrets can be consumed programatically. Identity is ultimately established by a (short lived) token. It also generates dynamic secrets on a number of backends, such as Cassandra, MySQL, PostgreSQL, SQL Server, MongoDB, etc. … I’m not going to cover here how to configure Vault, feel free to head out to the <a href="https://www.vaultproject.io/docs/index.html">Vault documentation</a>. For all intent and purposes of this document, you can <a href="https://www.vaultproject.io/downloads.html">download Vault</a> and run it in “dev mode” for a quick test:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>vault server <span class="nt">-dev</span> WARNING: Dev mode is enabled! In this mode, Vault is completely <span class="k">in</span><span class="nt">-memory</span> and unsealed. Vault is configured to only have a single unseal key. The root token has already been authenticated with the CLI, so you can immediately begin using the Vault CLI. The only step you need to take is to <span class="nb">set </span>the following environment variable since Vault will be talking without TLS: <span class="nb">export </span><span class="nv">VAULT_ADDR</span><span class="o">=</span><span class="s1">'http://127.0.0.1:8200'</span> The unseal key and root token are reproduced below <span class="k">in case</span> you want to seal/unseal the Vault or play with authentication. Unseal Key: 2252546b1a8551e8411502501719c4b3 Root Token: 79bd8011-af5a-f147-557e-c58be4fedf6c <span class="o">==&gt;</span> Vault server configuration: Log Level: info Backend: inmem Listener 1: tcp <span class="o">(</span>addr: <span class="s2">"127.0.0.1:8200"</span>, tls: <span class="s2">"disabled"</span><span class="p">)</span></code></pre></figure> <p>Please don’t run a Vault cluster in dev mode on production, feel free to reachout through the usual means if you need help.</p> <h4 id="approle">AppRole</h4> <p>AppRole is a secure introduction method to establish machine identity. In AppRole, in order for the application to get a token, it would need to login using a Role ID (which is static, and associated with a policy), and a Secret ID (which is dynamic, one time use, and can only be requested by a previously authenticated user/system. In this case, we have two options:</p> <ul> <li>Store the Role IDs in Jenkins</li> <li>Store the Role ID in the Jenkinsfile of each project</li> </ul> <p>So let’s generate a policy for this role:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'path "secret/hello" { capabilities = ["read", "list"] }'</span> | vault policy-write java-example - Policy <span class="s1">'java-example'</span> written.</code></pre></figure> <p>In this case, tokens assigned to the java-example policy would have permission to read a secret on the secret/hello path.</p> <p>Now we have to create a Role that will generate tokens associated with that policy, and retrieve the token:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>vault write auth/approle/role/java-example <span class="se">\</span> <span class="o">&gt;</span> <span class="nv">secret_id_ttl</span><span class="o">=</span>60m <span class="se">\</span> <span class="o">&gt;</span> <span class="nv">token_ttl</span><span class="o">=</span>60m <span class="se">\</span> <span class="o">&gt;</span> <span class="nv">token_max_tll</span><span class="o">=</span>120m <span class="se">\</span> <span class="o">&gt;</span> <span class="nv">policies</span><span class="o">=</span><span class="s2">"java-example"</span> Success! Data written to: auth/approle/role/java-example <span class="nv">$ </span>vault <span class="nb">read </span>auth/approle/role/java-example Key Value <span class="nt">---</span> <span class="nt">-----</span> bind_secret_id <span class="nb">true </span>bound_cidr_list period 0 policies <span class="o">[</span>default java-example] secret_id_num_uses 0 secret_id_ttl 3600 token_max_ttl 0 token_num_uses 0 token_ttl 3600</code></pre></figure> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>vault <span class="nb">read </span>auth/approle/role/java-example/role-id Key Value <span class="nt">---</span> <span class="nt">-----</span> role_id 67bbcf2a-f7fb-3b41-f57e-88a34d9253e7</code></pre></figure> <p>Note that in this case, the tokens generated through this policy have a time-to-live of 60 minutes. That means that after an hour, that token is expired and can’t be used anymore. If you’re Jenkins jobs are shorted, you can adjust that time to live now to increase security.</p> <p>Let’s write a secret that our application will consume:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>vault write secret/hello <span class="nv">value</span><span class="o">=</span><span class="s2">"You've Succesfully retrieved a secret from Hashicorp Vault"</span> Success! Data written to: secret/hello</code></pre></figure> <p>Now Jenkins will need permissions to retrieve Secret IDs for our newly created role. Jenkins shouldn’t be able to access the secret itself, list other Secret IDs, or even the Role ID.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'path "auth/approle/role/java-example/secret-id" { capabilities = ["read","create","update"] }'</span> | vault policy-write jenkins -</code></pre></figure> <p>And generate a token for Jenkins to login into Vault. This token should have a relatively large TTL, but will have to be rotated:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="nv">$ </span>vault token-create <span class="nt">-policy</span><span class="o">=</span>jenkins Key Value <span class="nt">---</span> <span class="nt">-----</span> token de1fdee1-72c7-fdd0-aa48-a198eafeca10 token_accessor 8ccfb4bb-6d0a-d132-0f1d-5542139ec81c token_duration 768h0m0s token_renewable <span class="nb">true </span>token_policies <span class="o">[</span>default jenkins]</code></pre></figure> <p>In this way we’re minimizing attack vectors:</p> <ul> <li> <p>Jenkins only knows it’s Vault Token (and potentially the Role ID) but doesn’t know the Secret ID, which is generated at pipeline runtime and it’s for one time use only.</p> </li> <li> <p>The Role ID can be stored in the Jenkinsfile. Without a token and a Secret ID has no use.</p> </li> <li> <p>The Secret ID is dynamic and one time use only, and only lives for a short period of time while it’s requested and a login process is carried out to obtain a token for the role.</p> </li> <li> <p>The role token is short lived, and it will be useless once the pipeline finishes. It can even be revoked once you’re finished with your pipeline.</p> </li> </ul> <h3 id="jenkins-pipeline-and-configuration">Jenkins pipeline and configuration</h3> <p>A full example for the project is available <a href="https://github.com/ncorrare/vault-java-example">here</a>. The Jenkinsfile will be using is this one:</p> <figure class="highlight"><pre><code class="language-groovy" data-lang="groovy"><span class="n">pipeline</span> <span class="o">{</span> <span class="n">agent</span> <span class="n">any</span> <span class="n">stages</span> <span class="o">{</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Cleanup'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">withMaven</span><span class="o">(</span><span class="nl">maven:</span> <span class="s1">'maven-3.2.5'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'mvn clean'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Test'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">withMaven</span><span class="o">(</span><span class="nl">maven:</span> <span class="s1">'maven-3.2.5'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'mvn test'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Compile'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">withMaven</span><span class="o">(</span><span class="nl">maven:</span> <span class="s1">'maven-3.2.5'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'mvn compile'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Package'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">withMaven</span><span class="o">(</span><span class="nl">maven:</span> <span class="s1">'maven-3.2.5'</span><span class="o">)</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'mvn package'</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Notify'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">echo</span> <span class="s1">'Build Successful!'</span> <span class="o">}</span> <span class="o">}</span> <span class="n">stage</span><span class="o">(</span><span class="s1">'Integration Tests'</span><span class="o">)</span> <span class="o">{</span> <span class="n">steps</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">'curl -o vault.zip https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_arm.zip ; yes | unzip vault.zip'</span> <span class="n">withCredentials</span><span class="o">([</span><span class="n">string</span><span class="o">(</span><span class="nl">credentialsId:</span> <span class="s1">'role'</span><span class="o">,</span> <span class="nl">variable:</span> <span class="s1">'ROLE_ID'</span><span class="o">),</span><span class="n">string</span><span class="o">(</span><span class="nl">credentialsId:</span> <span class="s1">'VAULTTOKEN'</span><span class="o">,</span> <span class="nl">variable:</span> <span class="s1">'VAULT_TOKEN'</span><span class="o">)])</span> <span class="o">{</span> <span class="n">sh</span> <span class="s1">''' set +x export VAULT_ADDR=https://$(hostname):8200 export VAULT_SKIP_VERIFY=true export SECRET_ID=$(./vault write -field=secret_id -f auth/approle/role/java-example/secret-id) export VAULT_TOKEN=$(./vault write -field=token auth/approle/login role_id=${ROLE_ID} secret_id=${SECRET_ID}) java -jar target/java-client-example-1.0-SNAPSHOT-jar-with-dependencies.jar '''</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> <span class="n">environment</span> <span class="o">{</span> <span class="n">mvnHome</span> <span class="o">=</span> <span class="s1">'maven-3.2.5'</span> <span class="o">}</span> <span class="o">}</span></code></pre></figure> <p>Lot’s of stuff here, including certain Maven tasks, but we will be focusing on the Integration Tests stage (the last one), what we’re doing here is:</p> <ul> <li> <p>Downloading the Vault binary (in my case the ARM linux one, I’ll brag about that in a different blog post :D)</p> </li> <li> <p>Reading credentials from the Jenkins credential store. In this case I’m storing both the ROLE_ID and the VAULT_TOKEN I’ve generated for Jenkins. As mentioned before if you want to split them for more security, you can just use the ROLE_ID as a variable in the Jenkinsfile.</p> </li> <li> <p>I’m doing a set +x to disable verbosity in the shell in order not to leak credentials, although even with -x, in this case I’m just showing the Secret ID (which is useless after I’ve already used it), and the VAULT_TOKEN that I’m going to use to consume credentials, which is short lived, and can be revoked at the end of this runtime just adding a <code class="highlighter-rouge">vault token-revoke</code> command.</p> </li> <li> <p>I’m retrieving a SECRET_ID using Jenkins administrative token (that I’ve manually generated before, that’s the only one that would be relatively longed lived, but can only generate SECRET_IDs).</p> </li> <li> <p>I’m doing an AppRole login with the ROLE_ID and the SECRET_ID, and storing that token (short lived).</p> </li> <li> <p>My Java Process is reading VAULT_TOKEN and VAULT_ADDR to contact Vault and retrieve the secret we stored.</p> </li> </ul> <p>The VAULT_TOKEN (And optionally ROLE_ID) are stored in the Credential store in Jenkins:</p> <p><img src="/assets/media/jenkins-cred-store.png" alt="Jenkins Cred Store" title="Jenkins Credential Store" /></p> Sun, 23 Apr 2017 00:00:00 +0000 /general/vault/security/ci/2017/04/23/Reading-Vault-Secrets-in-your-Jenkins-pipeline.html /general/vault/security/ci/2017/04/23/Reading-Vault-Secrets-in-your-Jenkins-pipeline.html Who has time for testing <p>And now for a short update, here’s my PuppetConf presentation of this year.</p> <p><a href="http://www.youtube.com/watch?v=1X_2ijZqguQ"><img src="http://img.youtube.com/vi/1X_2ijZqguQ/0.jpg" alt="PuppetConf 2016: Puppet on Windows" /></a></p> Thu, 20 Oct 2016 00:00:00 +0000 /general/puppet/windows/video/2016/10/20/Puppet-on-Windows.html /general/puppet/windows/video/2016/10/20/Puppet-on-Windows.html Don't DROWN on OpenSSL <p>Yet another OpenSSL vulnerability in the loose. While the vendors release fixes, Puppet to the rescue!. Let’s start by disabling those weak ciphers.</p> <p>For the apache https server, you can use the puppetlabs-apache module to disable weak ciphers:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"><span class="k">class</span> <span class="p">{</span> <span class="s1">'apache::mod::ssl'</span><span class="p">:</span> <span class="py">ssl_cipher</span> <span class="p">=&gt;</span> <span class="s1">'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EXPORT'</span><span class="p">,</span> <span class="py">ssl_protocol</span> <span class="p">=&gt;</span> <span class="p">[</span> <span class="s1">'all'</span><span class="p">,</span> <span class="s1">'-SSLv2'</span><span class="p">,</span> <span class="s1">'-SSLv3'</span> <span class="p">],</span> <span class="c">#Default value for the module </span> <span class="py">ssl_honorcipherorder</span> <span class="p">=&gt;</span> <span class="s1">'On'</span><span class="p">,</span> <span class="c">#Default value for the module </span><span class="p">}</span></code></pre></figure> <p>More information on https://forge.puppetlabs.com/puppetlabs/apache/readme#class-apachemodssl</p> <p>Using Postfix? No problem, the camptocamp-postfix module can help you there:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"><span class="n">postfix::config</span> <span class="p">{</span> <span class="s1">'smtpd_tls_security_level'</span><span class="p">:</span> <span class="py">value</span> <span class="p">=&gt;</span> <span class="s1">'secure'</span><span class="p">;</span> <span class="s1">'smtpd_tls_mandatory_protocols'</span><span class="p">:</span> <span class="py">value</span> <span class="p">=&gt;</span> <span class="s1">'!SSLv2, !SSLv3'</span><span class="p">;</span> <span class="s1">'smtpd_tls_mandatory_exclude_ciphers'</span><span class="p">:</span> <span class="py">value</span> <span class="p">=&gt;</span> <span class="s1">'aNULL, MD5'</span> <span class="p">}</span></code></pre></figure> <p>More information on https://forge.puppetlabs.com/camptocamp/postfix</p> <p>How about IIS 7? We can use the puppetlabs-registry module to disable weak ciphers:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"><span class="k">class</span> <span class="nc">profile::baseline</span> <span class="p">{</span> <span class="n">registry_value</span> <span class="p">{</span> <span class="s1">'HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\Enabled'</span><span class="p">:</span> <span class="py">ensure</span> <span class="p">=&gt;</span> <span class="n">present</span><span class="p">,</span> <span class="py">type</span> <span class="p">=&gt;</span> <span class="n">dword</span><span class="p">,</span> <span class="py">data</span> <span class="p">=&gt;</span> <span class="m">0</span><span class="n">x00000000</span><span class="p">,</span> <span class="p">}</span> <span class="n">registry_value</span> <span class="p">{</span> <span class="s1">'HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled'</span><span class="p">:</span> <span class="py">ensure</span> <span class="p">=&gt;</span> <span class="n">present</span><span class="p">,</span> <span class="py">type</span> <span class="p">=&gt;</span> <span class="n">dword</span><span class="p">,</span> <span class="py">data</span> <span class="p">=&gt;</span> <span class="m">0</span><span class="n">x00000000</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p>More information on https://forge.puppetlabs.com/puppetlabs/registry</p> Thu, 03 Mar 2016 00:00:00 +0000 /general/puppet/code/security/2016/03/03/Dont-DROWN-on-OpenSSL.html /general/puppet/code/security/2016/03/03/Dont-DROWN-on-OpenSSL.html Extending your Puppet Language Dictionary for Application Orchestration <p>Time to extend your Puppet Language skills! The new features for application orchestration introduce a number of language constructs you’ll want to know about if you’re planning to describe your applications and supporting infrastructure in the Puppet language.</p> <h2 id="the-environment-service-resource-type">The Environment Service Resource Type</h2> <p>If you haven’t worked with Puppet types and providers before, I’d strongly suggest you read the documentation on custom types and providers (available here <a href="https://docs.puppetlabs.com/guides/custom_types.html">https://docs.puppetlabs.com/guides/custom_types.html</a> and here <a href="https://docs.puppetlabs.com/guides/provider_development.html">https://docs.puppetlabs.com/guides/provider_development.html</a>, respectively).</p> <p>It is worth noting that, unlike your traditional Puppet types and providers, an environment service resource type is far simpler to develop, as you’ll see in the first example below.</p> <p>The environment service resource is the key to defining the relationship between different software layers. It effectively extends a traditional Puppet type (like file, services, or packages) to describe application services (an SQL database, web server, API layer or a microservice, for example). Like Puppet node types, the environment service resource can (optionally) have a provider, which in this case implements a number of service-related methods — for instance, how to check if an environment service produced by an application component is actually ready for work before continuing the deployment.</p> <p>The environment service type looks pretty much like any other Puppet type, but it has the property of being a capability. A very simple example could be an SQL resource, as described below:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"> <span class="no">Puppet</span><span class="o">::</span><span class="no">Type</span><span class="p">.</span><span class="nf">newtype</span> <span class="ss">:sql</span><span class="p">,</span> <span class="ss">:is_capability</span> <span class="o">=&gt;</span> <span class="kp">true</span> <span class="k">do</span> <span class="n">newparam</span> <span class="ss">:name</span><span class="p">,</span> <span class="ss">:namevar</span> <span class="o">=&gt;</span> <span class="kp">true</span> <span class="n">newparam</span> <span class="ss">:dbname</span> <span class="n">newparam</span> <span class="ss">:dbhost</span> <span class="n">newparam</span> <span class="ss">:dbpass</span> <span class="n">newparam</span> <span class="ss">:dbuser</span> <span class="k">end</span></code></pre></figure> <p>What I’m doing here is telling the Puppet resource abstraction layer (or rather the service abstraction layer) that I have modeled an SQL database that can be produced by a server (managed with Puppet), for use by one or more servers that need an SQL database. You can think of it as a contract between the servers on your network: What information do they need to exchange in order to interoperate?</p> <h2 id="the-application-layers">The Application Layers</h2> <p>The component in your applications should be iterable — that is to say, you should be able to deploy multiple instances of your layers (multiple web servers, for example). What better way to do that than the way you’ve been doing it historically, with defined types?</p> <p>Here’s where you can leverage your existing modules, profiles and roles. Remember, Puppet is about code reusability; you don’t need to reinvent the wheel every time you do something.</p> <p>Just to show you a quick example, here’s a define type for my database layer:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"> <span class="k">define</span> <span class="nf">apporch_blog::db</span> <span class="p">(</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="nv">$host</span> <span class="err">=</span> <span class="nv">$::fqdn</span><span class="p">,</span> <span class="p">){</span> <span class="nv">$override_options</span> <span class="err">=</span> <span class="p">{</span> <span class="s1">'mysqld'</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="s1">'bind-address'</span> <span class="p">=&gt;</span> <span class="s1">'0.0.0.0'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">firewall</span> <span class="p">{</span> <span class="s1">'101 Allow Connections to Database'</span><span class="p">:</span> <span class="py">dport</span> <span class="p">=&gt;</span> <span class="m">3306</span><span class="p">,</span> <span class="py">proto</span> <span class="p">=&gt;</span> <span class="s1">'tcp'</span><span class="p">,</span> <span class="py">action</span> <span class="p">=&gt;</span> <span class="s1">'accept'</span><span class="p">,</span> <span class="p">}</span> <span class="c"># For simplicity, I’m declaring the mysql::server class here but you’d normally do this outside of the define (Preferably in Hiera). </span> <span class="k">class</span> <span class="p">{</span><span class="s1">'::mysql::server'</span><span class="p">:</span> <span class="py">root_password</span> <span class="p">=&gt;</span> <span class="s1">'whatever'</span><span class="p">,</span> <span class="py">override_options</span> <span class="p">=&gt;</span> <span class="nv">$override_options</span><span class="p">,</span> <span class="p">}</span> <span class="n">mysql::db</span> <span class="p">{</span> <span class="nv">$name</span><span class="p">:</span> <span class="py">user</span> <span class="p">=&gt;</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="py">password</span> <span class="p">=&gt;</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="py">host</span> <span class="p">=&gt;</span> <span class="s1">'%'</span><span class="p">,</span> <span class="py">grant</span> <span class="p">=&gt;</span> <span class="p">[</span><span class="s1">'ALL PRIVILEGES'</span><span class="p">],</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p>As you can see, this is pretty much standard; I’m creating a new type that defines a database. Now going back to the environment service resource I described before, I could potentially produce an SQL resource out of this database, so let’s modify the code to do that:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"> <span class="k">define</span> <span class="nf">apporch_blog::db</span> <span class="p">(</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="nv">$host</span> <span class="err">=</span> <span class="nv">$::fqdn</span><span class="p">,</span> <span class="p">){</span> <span class="nv">$override_options</span> <span class="err">=</span> <span class="p">{</span> <span class="s1">'mysqld'</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="s1">'bind-address'</span> <span class="p">=&gt;</span> <span class="s1">'0.0.0.0'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="n">firewall</span> <span class="p">{</span> <span class="s1">'101 Allow Connections to Database'</span><span class="p">:</span> <span class="py">dport</span> <span class="p">=&gt;</span> <span class="m">3306</span><span class="p">,</span> <span class="py">proto</span> <span class="p">=&gt;</span> <span class="s1">'tcp'</span><span class="p">,</span> <span class="py">action</span> <span class="p">=&gt;</span> <span class="s1">'accept'</span><span class="p">,</span> <span class="p">}</span> <span class="c"># It is a bad idea to instantiate a class is this way, since if I'm trying to apply the db class to multiple nodes the catalog compilation may fail, but for simplicity: </span> <span class="k">class</span> <span class="p">{</span><span class="s1">'::mysql::server'</span><span class="p">:</span> <span class="py">root_password</span> <span class="p">=&gt;</span> <span class="s1">'whatever'</span><span class="p">,</span> <span class="py">override_options</span> <span class="p">=&gt;</span> <span class="nv">$override_options</span><span class="p">,</span> <span class="p">}</span> <span class="n">mysql::db</span> <span class="p">{</span> <span class="nv">$name</span><span class="p">:</span> <span class="py">user</span> <span class="p">=&gt;</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="py">password</span> <span class="p">=&gt;</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="py">host</span> <span class="p">=&gt;</span> <span class="s1">'%'</span><span class="p">,</span> <span class="py">grant</span> <span class="p">=&gt;</span> <span class="p">[</span><span class="s1">'ALL PRIVILEGES'</span><span class="p">],</span> <span class="p">}</span> <span class="p">}</span> <span class="nc">Apporch_blog</span><span class="p">::</span><span class="nc">Db</span> <span class="n">produces</span> <span class="nc">Sql</span> <span class="p">{</span> <span class="py">dbuser</span> <span class="p">=&gt;</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="py">dbpass</span> <span class="p">=&gt;</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="py">dbhost</span> <span class="p">=&gt;</span> <span class="nv">$host</span><span class="p">,</span> <span class="py">dbname</span> <span class="p">=&gt;</span> <span class="nv">$name</span><span class="p">,</span> <span class="p">}</span></code></pre></figure> <p>Now I’ve told the Puppet parser that this particular define type is producing a resource, and I’m mapping the parameters of this type to the parameters of this resource.</p> <p>Just as this define type produces the resource, I’ve created another defined type, to consume it:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"> <span class="k">define</span> <span class="nf">apporch_blog::web</span> <span class="p">(</span> <span class="nv">$webpath</span><span class="p">,</span> <span class="nv">$vhost</span><span class="p">,</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="nv">$dbhost</span><span class="p">,</span> <span class="nv">$dbname</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="n">package</span> <span class="p">{[</span><span class="s1">'php'</span><span class="p">,</span><span class="s1">'mysql'</span><span class="p">,</span><span class="s1">'php-mysql'</span><span class="p">,</span><span class="s1">'php-gd'</span><span class="p">]:</span> <span class="py">ensure</span> <span class="p">=&gt;</span> <span class="n">installed</span><span class="p">,</span> <span class="p">}</span> <span class="n">firewall</span> <span class="p">{</span> <span class="s1">'100 Allow Connections to Web Server'</span><span class="p">:</span> <span class="py">dport</span> <span class="p">=&gt;</span> <span class="m">80</span><span class="p">,</span> <span class="py">proto</span> <span class="p">=&gt;</span> <span class="s1">'tcp'</span><span class="p">,</span> <span class="py">action</span> <span class="p">=&gt;</span> <span class="s1">'accept'</span><span class="p">,</span> <span class="p">}</span> <span class="k">include</span> <span class="nc">::apache</span> <span class="k">include</span> <span class="nc">::apache::mod::php</span> <span class="n">apache::vhost</span> <span class="p">{</span> <span class="nv">$vhost</span><span class="p">:</span> <span class="py">port</span> <span class="p">=&gt;</span> <span class="s1">'80'</span><span class="p">,</span> <span class="py">docroot</span> <span class="p">=&gt;</span> <span class="nv">$webpath</span><span class="p">,</span> <span class="kp">require</span> <span class="p">=&gt;</span> <span class="p">[</span><span class="nc">File</span><span class="p">[</span><span class="nv">$webpath</span><span class="p">]],</span> <span class="p">}</span> <span class="n">file</span> <span class="p">{</span> <span class="nv">$webpath</span><span class="p">:</span> <span class="py">ensure</span> <span class="p">=&gt;</span> <span class="n">directory</span><span class="p">,</span> <span class="py">owner</span> <span class="p">=&gt;</span> <span class="s1">'apache'</span><span class="p">,</span> <span class="py">group</span> <span class="p">=&gt;</span> <span class="s1">'apache'</span><span class="p">,</span> <span class="kp">require</span> <span class="p">=&gt;</span> <span class="nc">Package</span><span class="p">[</span><span class="s1">'httpd'</span><span class="p">],</span> <span class="p">}</span> <span class="k">class</span> <span class="p">{</span> <span class="s1">'::wordpress'</span><span class="p">:</span> <span class="py">db_user</span> <span class="p">=&gt;</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="py">db_password</span> <span class="p">=&gt;</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="py">db_host</span> <span class="p">=&gt;</span> <span class="nv">$dbhost</span><span class="p">,</span> <span class="py">db_name</span> <span class="p">=&gt;</span> <span class="nv">$dbname</span><span class="p">,</span> <span class="py">create_db</span> <span class="p">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="py">create_db_user</span> <span class="p">=&gt;</span> <span class="kc">false</span><span class="p">,</span> <span class="py">install_dir</span> <span class="p">=&gt;</span> <span class="nv">$webpath</span><span class="p">,</span> <span class="py">wp_owner</span> <span class="p">=&gt;</span> <span class="s1">'apache'</span><span class="p">,</span> <span class="py">wp_group</span> <span class="p">=&gt;</span> <span class="s1">'apache'</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="nc">Apporch_blog</span><span class="p">::</span><span class="nc">Web</span> <span class="n">consumes</span> <span class="nc">Sql</span> <span class="p">{</span> <span class="p">}</span></code></pre></figure> <p>Please note two things in this particular code extract:</p> <ul> <li>I’m declaring variables in the defined type that are going to be filled with parameters from the environment service resource.</li> <li>I’m also declaring that this defined type consumes the environment service resource, but I’m not mapping any variables. That’s because I’m using the same names for the variables.</li> </ul> <h2 id="the-application-construct">The Application Construct</h2> <p>Now let’s glue everything together. The application construct allows us to model the application and declare the dependencies within the layer:</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"> <span class="n">application</span> <span class="nf">apporch_blog</span> <span class="p">(</span> <span class="nv">$dbuser</span> <span class="err">=</span> <span class="s1">'wordpress'</span><span class="p">,</span> <span class="nv">$dbpass</span> <span class="err">=</span> <span class="s1">'w0rdpr3ss'</span><span class="p">,</span> <span class="nv">$webpath</span> <span class="err">=</span> <span class="s1">'/var/www/wordpress'</span><span class="p">,</span> <span class="nv">$vhost</span> <span class="err">=</span> <span class="s1">'wordpress.puppetlabs.demo'</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="n">apporch_blog::db</span> <span class="p">{</span> <span class="nv">$name</span><span class="p">:</span> <span class="py">dbuser</span> <span class="p">=&gt;</span> <span class="nv">$dbuser</span><span class="p">,</span> <span class="py">dbpass</span> <span class="p">=&gt;</span> <span class="nv">$dbpass</span><span class="p">,</span> <span class="py">export</span> <span class="p">=&gt;</span> <span class="nc">Sql</span><span class="p">[</span><span class="nv">$name</span><span class="p">],</span> <span class="p">}</span> <span class="n">apporch_blog::web</span> <span class="p">{</span> <span class="nv">$name</span><span class="p">:</span> <span class="py">webpath</span> <span class="p">=&gt;</span> <span class="nv">$webpath</span><span class="p">,</span> <span class="py">consume</span> <span class="p">=&gt;</span> <span class="nc">Sql</span><span class="p">[</span><span class="nv">$name</span><span class="p">],</span> <span class="py">vhost</span> <span class="p">=&gt;</span> <span class="nv">$vhost</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p>As you can see, it’s here where I’m actually defining the variables to configure the services and create the environment service resource.</p> <h2 id="the-site-construct">The Site Construct</h2> <p>As with your layers, you should be able to deploy your application in multiple instances. That’s where the site construct comes into play. In my particular example, I’m defining it in the <code class="highlighter-rouge">site.pp</code> file for the particular environment. But here’s where you actually instantiate your application and glue it to the specific nodes (using the hostnames for the specific nodes):</p> <figure class="highlight"><pre><code class="language-puppet" data-lang="puppet"> <span class="n">site</span> <span class="p">{</span> <span class="n">apporch_blog</span> <span class="p">{</span> <span class="s1">'example'</span><span class="p">:</span> <span class="py">nodes</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="nc">Node</span><span class="p">[</span><span class="s1">'db.demo'</span><span class="p">]</span> <span class="p">=&gt;</span> <span class="p">[</span> <span class="nc">Apporch_blog</span><span class="p">::</span><span class="nc">Db</span><span class="p">[</span> <span class="s1">'example'</span> <span class="p">]],</span> <span class="nc">Node</span><span class="p">[</span><span class="s1">'www.demo'</span><span class="p">]</span> <span class="p">=&gt;</span> <span class="p">[</span> <span class="nc">Apporch_blog</span><span class="p">::</span><span class="nc">Web</span><span class="p">[</span> <span class="s1">'example'</span> <span class="p">]],</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p>In all fairness, I had the unfair advantage of using the Puppet language and modules for quite a while now, but as you can see, once again, the code is human readable and draws from the existing modules on the Puppet Forge. As you can imagine, while this is an extremely simple example, the possibilities are endless:</p> <ul> <li>Think of your microservices running in Docker containers — this is a great way of actually tying the whole application together. See an example <a href="https://github.com/ncorrare/ncorrare-worldofcontainers/blob/master/manifests/profile/infoapi.pp">here</a>.</li> <li>Load balancing? Sure, your web servers can produce resources that are consumed by the load balancer.</li> <li>You can easily replace the nodes in your application, assuming you have current backups. You might be able to re-deploy your database and have Puppet automatically update your web servers.</li> </ul> <p>Now that you have an idea on how the language looks like, you should read the <a href="http://docs.puppetlabs.com/pe/latest/app_orchestration_overview.html#language-extensions-for-application-orchestration-an-overview">full documentation</a>. It’s worth noting that the <a href="https://docs.puppetlabs.com/pe/latest/orchestrator_intro.html">Puppet Orchestrator</a>, which is the set of tools that will actually make the orderly deployment possible, is not referenced here. But you can learn about it from the documentation linked above and below.</p> <p>[*] This article was originally authored for the Puppet Labs Blog (http://blog.puppetlabs.com).</p> Tue, 22 Dec 2015 00:00:00 +0000 /general/puppet/code/apporch/2015/12/22/Extending-your-Puppet-Language-dictionary-for-Application-Orchestration.html /general/puppet/code/apporch/2015/12/22/Extending-your-Puppet-Language-dictionary-for-Application-Orchestration.html Who has time for testing <p>Yeah, I know I’ve neglected my Blog, but hey, I’ve been busy!.</p> <p>Anyway, here’s the video of my PuppetConf presentation on Testing and CI. Enjoy</p> <p><a href="http://www.youtube.com/watch?v=yaY6ddXZF50"><img src="http://img.youtube.com/vi/yaY6ddXZF50/0.jpg" alt="PuppetConf 2015: Who has time for testing" /></a></p> Fri, 20 Nov 2015 00:00:00 +0000 /general/puppet/code/video/2015/11/20/Who-has-time-for-testing.html /general/puppet/code/video/2015/11/20/Who-has-time-for-testing.html Automating Networks <p>I did a short presentation on how to automate the configuration of Arista devices with Puppet on the <a href="http://www.meetup.com/Arista-Networks-London-Meetup-Group/events/223573486/">Arista meetup</a>. Luckily I recorded it, for those of you who weren’t lucky enough to see it live. Video of the screencast is below.</p> <p><a href="http://www.youtube.com/watch?v=iPIfzS6Rnc4"><img src="http://img.youtube.com/vi/iPIfzS6Rnc4/0.jpg" alt="Automating Networks - Puppet with Arista Switches" /></a></p> Fri, 24 Jul 2015 00:00:00 +0000 /general/puppet/code/video/networking/2015/07/24/Automating-Networks.html /general/puppet/code/video/networking/2015/07/24/Automating-Networks.html Creating an API with Sinatra and wrapping Puppet Code around it <p>Another week, another commute to a different country. You do have to love Europe!. Anyway, with an hour on my hands, I starting thinking back to, well, probably the question I get asked the most: “What can you do with Puppet?”. There is probably no short or straight answer to it, so I tend to start enumerating anything that might be relevant, and lately I’ve been finishing up with, “and also, if you have anything that expose resources through an API, well you can wrap Puppet Code around it!”. An excellent example of this, could be Gareth’s AWS module. It is also, too complicated to illustrate a principle, since it’s a fairly complex module, with quite a bit of Ruby code. For those who don’t know me, I don’t do Ruby… well… kind of.</p> <p>Ruby does have a number of brilliant gems (see what I did there?), and since I have been hearing about Ruby, the one that always caught my eye, was Sinatra.</p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/2/2d/Frank_Sinatra2,_Pal_Joey.jpg" alt="Not this Sinatra. Thanks wikimedia commons for the image!" /></p> <p>It is one of those things that look amazingly simple, that are really powerful, and of course, I always wanted to play around with. With all these in mind, I decided to write an extremely simple REST API, and a Puppet Module around it with very simple curl calls, to demo how this would look like, and of course, I did it my way.</p> <p>The absolutely basic Sinatra syntax is:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">httpverb</span> <span class="s1">'/httppath'</span> <span class="k">do</span> <span class="n">rubycode</span> <span class="k">end</span></code></pre></figure> <p>So let’s look at a commented example:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="c1"># HTTP GET verb to retrieve a specific item. Returns 404 if item is not present.</span> <span class="c1"># HTTP Verb and Path definition</span> <span class="n">get</span> <span class="s1">'/items/:key'</span> <span class="k">do</span> <span class="c1"># Check if the string is actually present in the file and give a quick message in case this is being opened with a browser. Sinatra returns 200 OK as default.</span> <span class="k">unless</span> <span class="no">File</span><span class="p">.</span><span class="nf">readlines</span><span class="p">(</span><span class="s2">"file.out"</span><span class="p">).</span><span class="nf">grep</span><span class="p">(</span><span class="sr">/</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="sr">/</span><span class="p">).</span><span class="nf">size</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">then</span> <span class="s2">"</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="s2"> exists in file!"</span> <span class="k">else</span> <span class="c1"># or return the appropiate http code.</span> <span class="n">status</span> <span class="mi">404</span> <span class="k">end</span> <span class="k">end</span></code></pre></figure> <p>So with a few bits and bolts of Ruby code here and there, here’s my full API example, with three basic verbs.</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="c1">#Extremely Simple API with three basic verbs.</span> <span class="nb">require</span> <span class="s1">'sinatra'</span> <span class="nb">require</span> <span class="s1">'fileutils'</span> <span class="nb">require</span> <span class="s1">'tempfile'</span> <span class="c1"># HTTP PUT verb creates an item on the file. Returns HTTP Code 422 if already exists.</span> <span class="n">put</span> <span class="s1">'/items/:key'</span> <span class="k">do</span> <span class="k">unless</span> <span class="no">File</span><span class="p">.</span><span class="nf">readlines</span><span class="p">(</span><span class="s2">"file.out"</span><span class="p">).</span><span class="nf">grep</span><span class="p">(</span><span class="sr">/</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="sr">/</span><span class="p">).</span><span class="nf">size</span> <span class="o">!=</span> <span class="mi">0</span> <span class="k">then</span> <span class="s2">"Created </span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'file.out'</span><span class="p">,</span> <span class="s1">'a'</span><span class="p">)</span> <span class="p">{</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="n">f</span><span class="p">.</span><span class="nf">puts</span> <span class="s2">"</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="se">\n</span><span class="s2">"</span> <span class="p">}</span> <span class="k">else</span> <span class="n">status</span> <span class="mi">422</span> <span class="k">end</span> <span class="k">end</span> <span class="c1"># HTTP GET verb to retrieve a specific item. Returns 404 if item is not present.</span> <span class="n">get</span> <span class="s1">'/items/:key'</span> <span class="k">do</span> <span class="k">unless</span> <span class="no">File</span><span class="p">.</span><span class="nf">readlines</span><span class="p">(</span><span class="s2">"file.out"</span><span class="p">).</span><span class="nf">grep</span><span class="p">(</span><span class="sr">/</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="sr">/</span><span class="p">).</span><span class="nf">size</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">then</span> <span class="s2">"</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="s2"> exists in file!"</span> <span class="k">else</span> <span class="n">status</span> <span class="mi">404</span> <span class="k">end</span> <span class="k">end</span> <span class="c1"># HTTP GET verb to retrieve all the items.</span> <span class="n">get</span> <span class="s1">'/items'</span> <span class="k">do</span> <span class="n">file</span> <span class="o">=</span> <span class="no">File</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="s2">"file.out"</span><span class="p">)</span> <span class="n">contents</span> <span class="o">=</span> <span class="s2">""</span> <span class="n">file</span><span class="p">.</span><span class="nf">each</span> <span class="p">{</span><span class="o">|</span><span class="n">line</span><span class="o">|</span> <span class="n">contents</span> <span class="o">&lt;&lt;</span> <span class="n">line</span> <span class="p">}</span> <span class="s2">"</span><span class="si">#{</span><span class="n">contents</span><span class="si">}</span><span class="s2">"</span> <span class="k">end</span> <span class="c1"># HTTP DELETE verb to remove a specific item. With a horrendous hack to recreate the file without the specific key. Returns 404 if the item is not present.</span> <span class="n">delete</span> <span class="s1">'/items/:key'</span> <span class="k">do</span> <span class="o">|</span><span class="n">k</span><span class="o">|</span> <span class="k">unless</span> <span class="no">File</span><span class="p">.</span><span class="nf">readlines</span><span class="p">(</span><span class="s2">"file.out"</span><span class="p">).</span><span class="nf">grep</span><span class="p">(</span><span class="sr">/</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="sr">/</span><span class="p">).</span><span class="nf">size</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">then</span> <span class="n">tmp</span> <span class="o">=</span> <span class="no">Tempfile</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s2">"extract"</span><span class="p">)</span> <span class="nb">open</span><span class="p">(</span><span class="s1">'file.out'</span><span class="p">,</span> <span class="s1">'r'</span><span class="p">).</span><span class="nf">each</span> <span class="p">{</span> <span class="o">|</span><span class="n">l</span><span class="o">|</span> <span class="n">tmp</span> <span class="o">&lt;&lt;</span> <span class="n">l</span> <span class="k">unless</span> <span class="n">l</span><span class="p">.</span><span class="nf">chomp</span> <span class="o">==</span> <span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span> <span class="p">}</span> <span class="n">tmp</span><span class="p">.</span><span class="nf">close</span> <span class="no">FileUtils</span><span class="p">.</span><span class="nf">mv</span><span class="p">(</span><span class="n">tmp</span><span class="p">.</span><span class="nf">path</span><span class="p">,</span> <span class="s1">'file.out'</span><span class="p">)</span> <span class="s2">"</span><span class="si">#{</span><span class="n">params</span><span class="p">[</span><span class="s1">'key'</span><span class="p">]</span><span class="si">}</span><span class="s2"> deleted!"</span> <span class="k">else</span> <span class="n">status</span> <span class="mi">404</span> <span class="k">end</span> <span class="k">end</span></code></pre></figure> <p>So I’m sure there will be a lot of Ruby experts criticizing how that code is written, to be honest, and taking into account is the first piece of Ruby code I wrote, and that I lifted some examples from everywhere, I’m quite happy with my Frankenstein API.</p> <p>So let’s curl around to see how my API works.</p> <p>If I PUT an item there, it saves it on the file, but of course if the item exists, it won’t allow me to do it again:</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>ncorrare@risa ~]# curl <span class="nt">-vX</span> PUT http://localhost:4567/items/item2 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> PUT /items/item2 HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 200 OK &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> <span class="o">[</span>ncorrare@risa ~]# curl <span class="nt">-vX</span> PUT http://localhost:4567/items/item2 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> PUT /items/item2 HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 422 Unprocessable Entity <span class="o">[</span>...] &lt; <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> <span class="o">[</span>ncorrare@risa ~]#</code></pre></figure> <p>Note that when I try to PUT the item the second time, it returns an HTTP code of 422. By the way, I spent a bit of time researching which should be the right http code to return in this case. I think I got it right but if anyone has a table documenting how to map these, please do send it over.</p> <p>By the way, depending on the sinatra / webrick version, you may need to specify a Content-Length (even if its zero) or you might get an HTTP/1.1 411 Length Required response. It would look like this</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash">/usr/bin/curl <span class="nt">-H</span> <span class="s1">'Content-Length: 0'</span> <span class="nt">-fIX</span> PUT http://localhost:4567/items/item1</code></pre></figure> <p>Now how about a couple of GETs</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>ncorrare@risa ~]# curl <span class="nt">-vX</span> GET http://localhost:4567/items <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> GET /items HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 200 OK &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] &lt; item1 item2 <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> <span class="o">[</span>ncorrare@risa ~]# curl <span class="nt">-vX</span> GET http://localhost:4567/items/item2 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> GET /items/item2 HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 200 OK &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> item2 exists <span class="k">in </span>file! <span class="o">[</span>ncorrare@risa ~]# curl <span class="nt">-vX</span> GET http://localhost:4567/items/item3 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> GET /items/item3 HTTP/1.1 <span class="o">[</span>...] &lt; HTTP/1.1 404 Not Found &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] &lt; <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span></code></pre></figure> <p>Please note that GET, of course, if the default action, but I’m specifying it just for documentation purposes. A GET to /items is returning the whole contents of the file, while a GET to /items/specificitem, checks if the items (a string in this case) exists on the file. A GET to a non-existent item returns 404.</p> <p>Finally, let’s delete something.</p> <figure class="highlight"><pre><code class="language-bash" data-lang="bash"><span class="o">[</span>ncorrare@risa ~/puppetlabs/demo/razor]# curl <span class="nt">-vX</span> DELETE http://localhost:4567/items/item2 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> DELETE /items/item2 HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 200 OK &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] &lt; <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> item2 deleted! <span class="o">[</span>ncorrare@risa ~/puppetlabs/demo/razor]# curl <span class="nt">-vX</span> DELETE http://localhost:4567/items/item2 <span class="k">*</span> Hostname was NOT found <span class="k">in </span>DNS cache <span class="k">*</span> Trying ::1... <span class="k">*</span> connect to ::1 port 4567 failed: Connection refused <span class="k">*</span> Trying 127.0.0.1... <span class="k">*</span> Connected to localhost <span class="o">(</span>127.0.0.1<span class="o">)</span> port 4567 <span class="o">(</span><span class="c">#0)</span> <span class="o">&gt;</span> DELETE /items/item2 HTTP/1.1 <span class="o">[</span>...] <span class="o">&gt;</span> &lt; HTTP/1.1 404 Not Found &lt; Content-Type: text/html<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 <span class="o">[</span>...] &lt; <span class="k">*</span> Connection <span class="c">#0 to host localhost left intact</span> <span class="o">[</span>ncorrare@risa ~/puppetlabs/demo/razor]#</code></pre></figure> <p>For all intent and purposes, that’s a great API, it even has error checking!. But the best is yet to come, now is time to actually wrap a Puppet module around it. As I’ll be using exec, I’ve to be spot on, around managing errors. Now here’s the kicker… in order for curl to return an HTTP error code &gt;= 400 as an exit code &gt; 0, you have to use the -f parameter in curl.</p> <p>So in this case, I basically created a module (which is available along with the full API code in https://github.com/ncorrare/ncorrare-itemsapi). The key here, is the resource definition:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">define</span> <span class="n">itemsapi</span> <span class="p">(</span> <span class="vg">$ensure</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="n">validate_re</span><span class="p">(</span><span class="vg">$ensure</span><span class="p">,</span> <span class="p">[</span><span class="s1">'present'</span><span class="p">,</span><span class="s1">'absent'</span><span class="p">])</span> <span class="k">if</span> <span class="vg">$ensure</span><span class="o">==</span><span class="s1">'present'</span> <span class="p">{</span> <span class="nb">exec</span> <span class="p">{</span> <span class="s1">'create item'</span> <span class="p">:</span> <span class="n">command</span> <span class="o">=&gt;</span> <span class="s2">"/usr/bin/curl -H 'Content-Length: 0' -fIX PUT http://localhost:4567/items/${name}"</span><span class="p">,</span> <span class="k">unless</span> <span class="o">=&gt;</span> <span class="s2">"/usr/bin/curl -fIX GET http://localhost:4567/items/${name}"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">elsif</span> <span class="vg">$ensure</span><span class="o">==</span><span class="s1">'absent'</span> <span class="p">{</span> <span class="nb">exec</span> <span class="p">{</span> <span class="s1">'delete item'</span> <span class="p">:</span> <span class="n">command</span> <span class="o">=&gt;</span> <span class="s2">"/usr/bin/curl -fIX DELETE http://localhost:4567/items/${name}"</span><span class="p">,</span> <span class="n">onlyif</span> <span class="o">=&gt;</span> <span class="s2">"/usr/bin/curl -fIX GET http://localhost:4567/items/${name}"</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nb">fail</span><span class="p">(</span><span class="s1">'ensure parameter must be present or absent'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span></code></pre></figure> <p>That’s it! You know have a new type, to manage an API, which is fully idempotent, so you can basically:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">itemsapi</span> <span class="p">{</span> <span class="s2">"whatever"</span><span class="p">:</span> <span class="k">ensure</span> <span class="o">=&gt;</span> <span class="s2">"present"</span><span class="p">,</span> <span class="p">}</span></code></pre></figure> <p>or:</p> <figure class="highlight"><pre><code class="language-ruby" data-lang="ruby"><span class="n">itemsapi</span> <span class="p">{</span> <span class="s2">"whatever"</span><span class="p">:</span> <span class="k">ensure</span> <span class="o">=&gt;</span> <span class="s2">"absent"</span><span class="p">,</span> <span class="p">}</span></code></pre></figure> <p>By the way, can you find the references to Sinatra (the actual one) in the blog post? There are two (I think!)</p> Wed, 08 Jul 2015 00:00:00 +0000 /general/puppet/code/2015/07/08/Creating-an-API-with-Sinatra-and-wrapping-Puppet-code-around-it.html /general/puppet/code/2015/07/08/Creating-an-API-with-Sinatra-and-wrapping-Puppet-code-around-it.html