Keynote by Paul Downey - Make things open, it makes them better
Paul Downey from GDS will be delivering this years Keynote to open the event.
Perl: Apparent in Spite of Exaggeration - Mark Keating
Despite much naysay and hyperbole from many camps Perl is still here and waving happily at you from an oft-times hairy corner. We take a fast look at the world of Perl in 2014
So what the heck is happening in Perl? There has been significant discussion on the future, past, relationships and *extensive performances on the Jeremy Kyle show* in Perl's 21st century existence thus far.
With a wanton disregard for most of that noise, a casual familiarity with the concept of code without any express desire to wallow in it, Mark will attempt to enlighten you all on the current shape of the Perl world.
We will look at some of the new projects, some of the changes to Perl, Perl and OO, the culture, the ideology, the best places to dance and how and where to find out more about Perl.
Crowd-Sourcing the Detection of Compromised User Accounts - Stephen Quinney
Until recently efforts to improve system security have been almost entirely focussed on defensive hardening. The basic tenet being that if we build a big enough castle with thick enough walls then no attacker will ever be able to break through.
This defensive strategy has one weak point which is that for any system to be genuinely useful it must permit access to users (i.e. some times we have no choice but to lower the drawbridge and raise the portcullis). Users are only human and thus they will occasionally make poor decisions and genuine mistakes will occur. Consequently we have to accept that, irrespective of the strictness of any security protocol or the amount of care which is taken, the compromise of user accounts is inevitable.
Once we accept that the compromise of user accounts is an unavoidable aspect of running a useful service we are obliged to go beyond a basic digital fortress strategy. In particular, it becomes necessary to augment our approach by monitoring the activity of our users so that we can attempt to identify unusual behaviour patterns.
This talk will discuss various ways in which intrusion detection can be achieved through the monitoring of user activity. We will consider the ethical implications and data-protection issues which could be associated with some approaches. We will also demonstrate a project recently developed in the School of Informatics which we feel successfully achieves this goal by fully involving our users in the monitoring process.
Managing the Pain: Building a centralised authentication and authorisation platform from scratch - Philip Colmer
Beginner's guide to OpenLDAP, SSH keys, SSO, web management and more!
This talk will highlight the lessons learned - the good, the bad and the ugly - while putting together this type of platform consolidation. We'll look at why it was painful and how we managed the pain.
In 2012, Linaro was using Google Apps for email, mail groups and more, along with Canonical's Launchpad system for single sign-on, SSH key management and login authorization. Other systems used their own authentication mechanisms.
There was a significant amount of pain being experienced because of the duplication of effort managing group membership across everything. SSH key management that relied on scripts running on servers to pull keys off Launchpad which caused problems for end users if they updated their keys and the scripts didn't re-sync.
A 6-month project consolidated all of that into a single authentication and authorisation service running OpenLDAP at the heart with other tools to ease management and provide single sign-on. SSH access to servers now integrates with LDAP and SSH keys are queried dynamically.
Copies of in-house scripts produced to help overcome some of the shortfalls and keep the data in-check will be made available.
Building the ultimate test network? - David Griffith
In this talk I hope to show how a network for testing Infrastructure can be built with minimal risk to production services.
One of the biggest issues facing us in testing Infrastructure changes is the inability to deploy production configuration data, i.e. IP addresses VLAN tags etc in the test network without risking the production services.
The first step towards this has traditionally been a completely isolated network, however with more and more services moving towards the Cloud this approach has its drawbacks. Isolation also flies in the face of the remote working practices many of us currently follow.
Secure Automated Connections with ssh - David Proffitt
- Protecting the port: If we know where legitimate traffic will come from then we can drop any other connections right at the network layer.
- Protecting the daemon: The host is correct but we can restrict the connections even further in the ssh daemon's configuration.
- Protecting the key: We will look at the benefits of using private/public key pairs and the methods available to protect the keys and limit the impact if they should fall into the wrong hands.
- Protecting the user: We will look at the advantages of creating dedicated user accounts for specific tasks and limiting them to those tasks alone
Evolution of a Continuous Delivery Pipeline - Jack Knight
Shaving Seconds from the Scripts
Our CD pipeline has now been in existence for over 2 years, and while many improvements have been made, and indeed complete swapouts of some major components have been done to adapt it to our requirements, which are complex because of the number of international jurisdictions we operate in and the sheer amount of country specific legislation we have to comply with.
The talk will follow the journey from inception, learning from the mistakes we made, evolving it, controlling and combating the technical debt which builds up over time and future aspirations.
Topics addressed will include:
- System design
- Product selection
- Dealing with legacy systems
- Provisioning Infrastructure with an eye for ease of future migration
- Managing Technical Debt and "Script Sprawl"
- Instrumentation and Performance Management
Incident Response - Simon Biles
When you find that you've lost your paddle and you are up the creek.
Things go wrong, it's a fact of life. Sometimes those things are natural disasters, sometimes they are user error and sometime, just sometimes, someone has it in for us. In any scenario the correct management and handling of the situation is imperative for fear of making things worse than they need to be.
During this talk, I'd like to establish with the audience the ground rules for dealing with incidents. Covering off:
- Planning for an incident
- First Responders
Is there really a "Golden Hour" & the importance of Triage
- Forensic Readiness
- Convening a Team ( possibly of one ! )
- Handling the Fall Out
- Business Continuity and the "Biles Hierarchy of Needs"
- Leveraging the Management Buy-In for Security Improvement
This talk will cover both technical and managerial skills required at the coal face when there is an issue and all other bets are off.
Icinga 2: Redesigning Monitoring - Bernd Erk
Most sys admins have a love-hate relationship with Icinga/Nagios based monitoring solutions. Utilitarian and backed by a sizeable community, users have learned to live with shortcomings in scaling, configuration and integration with tools common to modern architecture.
After tiring of fiddly hacks and convoluted configs, the Icinga team decided to build a new, accessible and flexible core. Icinga 2 was born – infinitely and easily scalable, even as a cluster-ready solution, with load balancing, automated replication and business process monitoring out of the box.
This talk will present Icinga 2’s innovative multi-threaded architecture and explain how it allows countless clusters of monitoring instances to run at speeds as yet unseen, all while minimizing maintenance. It will demonstrate how popular tools such as Graphite, Logstash and Puppet integrate better and easier than ever before. A live demo will follow and well as a look into development plans to come.
Growing from a little Xen to a fully fledged OpenNebula Cloud - Bernd Erk
As companies turn to the Cloud, many discover the challenges of transforming an IT landscape. To save others from falling into the same traps, this presentation will share the story of a managed services provider’s long and hazardous journey into the cloud.
With 20+ customers, hundreds of applications across multiple continents, NETWAYS’ OpenNebula based cloud has been running at 99.99% availability for years now. This talk will trace the development of a multi-tenant cloud infrastructure from its beginnings and mishaps in XEN to today’s OpenNebula, Puppet, monitoring, backup and accounting amalgamation. It will share insights made along the way, considerations for infrastructure design, and the various steps taken to achieve the final cloud setup and integrated subsystems NETWAYS uses today.
Serial Consoles in the age of IPMI - Alex Owen
Managing IPMI and KVM consoles via tmux and con log
In the age of RS232 serial consoles tools like conserver were available. These tools gave us multi-user network access to the serial console and also allowed all console activity to be logged to file possibly via syslog.
In the age of IPMI we have ipmitool. Although this tool is functional it lacks the logging and multiuser aspects that conserver provided. Without an obvious off-the-shelf solution conlog was born: https://github.com/raowen/conlog
Conlog uses tmux to provide multiuser access to an ever running ipmitool and logging of all activity on that ipmi console. Further a handy power menu is provided in a second tmux window.
Conlog has been successfully hosted on the rather nice dreamplug hardware providing managed access and logging to over 35 IPMI consoles.
There are further plans to add KVM virsh serial console support in future.
MySQL PERFORMANCE_SCHEMA The Missing Manual - Valerii Kravchuk
PERFORMANCE_SCHEMA in MySQL 5.6 can be used to pinpoint reasons of most typical performance problems MySQL users may encounter, but even though it's a mature technology now and many use cases are explained both in the manual and numerous blog posts and presentations, some important details are still missing.
I'll try to cover both "best practices" related to PERFORMANCE_SCHEMA and obscure and incompletely documented details during this session. It should become both a good starting point and "How To" reference for every engineer who tries to find out how to get extra details about the MySQL performance problem encountered.
SELinux : pain or gain - Toshaan Bharvani
SELinux Introduction and Policy Generation
This presentation gives an introduction of what SELinux and to different types of enforcement and how MLS can create more isolation, to allow applications, daemons, virtual machines or other processes to be segregated from each other. Some simple examples using libvirt, nginx, httpd, php allows you to keep each separated and goes a step further than chroot. Policy generation, custom policies and adjustments of the label and category types are also explained.
State of PostgreSQL Database - Simon Riggs
Latest news from the PostgreSQL database project, including technical overview of features in most recent production release (9.3) and development releases (9.4). Simon is the UK Press Spokesperson for the PostgreSQL database project and a Major Developer.
What's New in OpenLDAP - Howard Chu
The Lightning Memory-Mapped Database was introduced at the previous LDAPCon and has been enjoying tremendous success in the intervening two years. The success of LMDB has led down many different paths:
- Use of LMDB eliminated bottlenecks at the database level but revealed the presence of other bottlenecks in the slapd code. Recently a number of these other bottlenecks have also been removed, yielding even greater performance gains.
- LMDB has proved to be a superior database engine for many other projects and uses, and its adoption outside the OpenLDAP Project continues to grow.
Use of LMDB in !NoSQL projects like HyperDex presents us with the opportunity to again address horizontal scaling, replacing the previous work on back-ndb with a clustered backend that uses OpenLDAP technology at both the highest and lowest layers of the solution.
The talk will discuss some of the internal improvements in slapd due to LMDB, as well as the impact of LMDB on other projects. Also the new HyperDex backend will be presented, along with new work on Samba4 integration.
Consistent Backups using Snapshots - David Proffitt
In this talk we will look at three technologies that provide mechanisms for making atomic snapshots of your data and how this can be used as a basis for your backup strategy.
Depending on your setup you may be able to use a combination of the snapshot mechanisms provided by:
- Logical Volume Management
- MD software RAID
- KVM Virtual Machine Images
Deploying OpenStack with OpenStack - Chris Jones
A primer on the TripleO project
What is OpenStack, how complex is it?
What is TripleO (OpenStack on OpenStack)?
- Who is working on TripleO?
Why do we need yet another way to deploy OpenStack?
How TripleO uses Continuous Integration and Continuous Delivery to deliver clouds that do not lag upstream OpenStack releases by months/years
- How a TripleO deployment works
- How our tools compare with the competition
- Tying everything together with Heat
How TripleO will deliver High Availability for your OpenStack cloud
- Upgrading a running cloud
This is the future of deployment for OpenStack. We are a vendor/distro agnostic group who are building the tools and procedures needed to take bare metal hardware and deploy OpenStack to it using OpenStack itself.
By using OpenStack components such as Nova-baremetal, Neutron and Heat, along with standard technologies such as PXE/IPMI, and some tightly focussed tools we have developed (such as diskimage-builder and os-*-config), a two layer cloud is constructed, with the "undercloud" managing your hardware and the structure of your cloud and the "overcloud" being a fully virtualised user-facing cloud.
If you have any interest in building and maintaining a private cloud infrastructure, this is the talk for you!
LDAP Benchmarks and their implications - Jillian Kozyra
There are many LDAP products out there to choose from, and overall performance and ease of setup and configuration are several factors that can impact the decision of which product to use. This talk will focus on a series of benchmark tests that Symas has run on the most recent releases of a number of these products over the last several months, particularly their results and implications for the development community as a whole. The benchmark tests, which were conducted using the SLAMD tool, measure read, write, authorization, and simultaneous read/write performance for a dataset containing 10 million entries. Load time and database size on disk were also recorded, and each product was tuned according to its documentation in order to optimize its performance. Due to the ubiquity of virtualized environments in modern data centres, a small VM configuration was used for the tests instead of the larger physical machines used in previous tests conducted by Symas. OpenLDAP performed the best overall under the test conditions, and a further discussion and analysis of the results will be presented. The tests also identified the need for a properly maintained benchmarking tool now that support for SLAMD has been withdrawn and the project allowed to languish despite its value.
Continuous Delivery of your Infrastructure - Kris Buytaert
Software developers are adopting continuous deliver for their software. But infrastructure people can do the same.
We'll be explaining how we do continuous delivery of (Open Source) based Infrastructures. How we learned more about Jenkins than the application developers. But also about the pitfalls of Continuous Delivery
Building and Deploying MediaSalsa - Kris Buytaert
Deploying an Open Source DAM in SAAS Mode,
With development teams in The Netherlands and Kiev and Operations people in Belgium, building this platform was a nice exercise in distributed devops adoption.
This talk will share our experiences with you, from teaching developers to being taught by developers.
From automated Drupal deployments and continuous integration to Infrastructure as Code. From Success to Failure and back.. including the obvious DNS problems.
It took us about a year to go from concept to actual continuous delivery, a year in which we learned a lot, automated a lot and measured a lot. A year in which we build and rebuild dashboards, learned about the behaviour of our platform, fought with ffmpeg, in which we destroyed and created full new platforms (in approx 4 hours) and used mcollective to trigger drush commands.
A year in which we learned about Culture, Automation, Metrics and now we want to Share ... slides are available at www.slideshare.net/KrisBuytaert/building-and-deploying-mediasalsa-an-open-source-dam-as-saas-platform
When dynamic becomes static : the next step in web caching techniques - Wim Godden
Tools like Varnish can improve scalability for static sites, but when user-specific content is needed, a hit to the backend is still needed, causing scalability issues. We'll look at a new Nginx module which implements a fast and scalable solution to this problem, changing the way developers think about designing sites with user-specific content.
MQTT for sysadmins - Jan-Piet Mens
In spite of being the new hotness for the Internet of Things, MQTT is very useful for system administrators (and, of course, you need a good excuse to hear this talk, which is why we say system administrators!
We discuss what MQTT is, what it can be used for and how you can put it to good use. And we'll also talk gadgets and stuff, of course!
Photon - Andrew Stribblehill
Photon is a Google-scale system for merging two realtime streams of data reliably, without routine maintenance, quickly and without pausing for datacentre-level catastrophes. We discuss the architecture and how we made it both fast and stable.
Configuration Management with Ansible - Jan-Piet Mens
Ansible is a simple configuration management and command execution framework for "push" and "pull" deployments for Unix/Linux systems using an existing SSH infrastructure. It's particularly easy to deploy because neither does it require an "agent" on managed nodes (a newish implementation of Python suffices) nor does it require a complex PKI. We show you how to quickly get started using Ansible for ad-hoc tasks, discuss some of its modules and introduce you to Ansible's playbooks and variables. We show you how to run Ansible as a normal user (non-root), how to configure inventory data, and give you sundry tips on using Ansible effectively. If you prefer a pull-based setup, we show you how to implement that as well. We'll discuss roles, use of variables and lookup plugins.
Devops Logique - Matt S Trout
?- predictable(reality). false.
?- theory = practice. false.
Most of us already owe prolog a debt indirectly via erlang.
However, logic programming in and of itself has much to teach us about approaches to systems - taking declarative system descriptions to a new level of abstraction, and finding ways to integrate these ideas back into more common workflows.
From prolog to erlang to haskell to lisp to tcl and then back to prolog I have journeyed, and I'd like to share some of the beautiful and brilliant things I've discovered along the way and why I think they might make us better operations geeks.
And when approaching new languages, always remember: You can't scare us, we've used m4.
Google Compute Engine (GCE) enables developers to build cloud infrastructure networks on a truly massive scale. GCE includes a dedicated API we well as utilities to aid in development and administration as part of the Google Cloud SDK. Ansible is the one of the newest in a number of open source orchestration and configuration management tools that helps in automating not-only the management and orchestration of servers or instances as well as complex configuration management of operating system and application software over SSH. Used in combination Ansible and Google Compute Engine allow you to very quickly build highly detailed and large scale networks of computing resources with minimal human intervention. This talk will demo the initial setup of Ansible on Google Compute Engine as well as demonstrate some sample use cases.