Managed Chef in the Cloud: Introducing AWS OpsWorks for Chef Automate
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 45 | |
| Autor | ||
| Lizenz | CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben. | |
| Identifikatoren | 10.5446/34593 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
ChefConf 201715 / 45
1
4
5
9
12
16
18
20
21
22
24
25
27
28
35
37
39
42
00:00
ProzessautomationDatenverwaltungKonfigurationsraumDienst <Informatik>CodePunktwolkeKanalkapazitätMaßstabAutomatische HandlungsplanungProgrammierumgebungInformationElastische DeformationServerElektronische PublikationVerzeichnisdienstRechnernetzKonfigurationsdatenbankGruppenoperationRegistrierung <Bildverarbeitung>ServerKonfigurationsraumSoftwaretestAutomatische HandlungsplanungDatenverwaltungKanalkapazitätPhysikalisches SystemNabel <Mathematik>Web SiteApp <Programm>Ganze FunktionImplementierungFrequenzPropagatorKomplex <Algebra>MathematikProgrammierumgebungCodeComputersicherheitMultiplikationsoperatorMAPSondierungRechter WinkelComputerspielOffice-PaketTermBeanspruchungProzess <Informatik>LastNetzbetriebssystemOrdnung <Mathematik>UnternehmensarchitekturZentrische StreckungHilfesystemEinfache GenauigkeitBitAggregatzustandPunktwolkeProzessautomationKonfigurationsverwaltungKartesische KoordinatenRechenzentrumGüte der AnpassungBildschirmfensterMatchingCASE <Informatik>KonfigurationsdatenbankElektronische PublikationIntegralGruppenoperationTaskMultiplikationNeuroinformatikArithmetischer AusdruckPlotterZählenInformationsspeicherungVirtuelle MaschineMailing-ListeFormale SpracheDreiecksfreier GraphBenutzerbeteiligungElement <Gruppentheorie>SprachsyntheseProdukt <Mathematik>GarbentheorieEinsDienst <Informatik>TypentheorieEndliche ModelltheorieBildgebendes VerfahrenSchnittmengeDatenstrukturÜberlagerung <Mathematik>DatenbankTopologieJSONXMLUMLComputeranimation
08:12
DatenverwaltungSoftwareUmwandlungsenthalpieProgrammierumgebungServerKonfigurationsraumVersionsverwaltungMAPGruppenoperationProzessautomationGeschwindigkeitMaßstabInstallation <Informatik>p-BlockGebäude <Mathematik>TemplateIndexberechnungQuellcodeDefaultRechenwerkE-MailClientArchitektur <Informatik>Framework <Informatik>SoftwaretestDesintegration <Mathematik>CodeClientKonfigurationsraumCodeGebäude <Mathematik>Bildschirmfensterp-BlockNotebook-ComputerGeschwindigkeitServerRechter WinkelSoftwareProgrammfehlerSoftwaretestEinflussgrößeLeistung <Physik>SichtenkonzeptOpen SourceMereologieComputersicherheitSystemaufrufAnalytische FortsetzungMultiplikationsoperatorQuick-SortTaskVirtuelle MaschineComputerarchitekturRobotikGüte der AnpassungNeuroinformatikVerschiebungsoperatorDifferenteAbschattungTabelleGesetz <Physik>FlächeninhaltART-NetzProdukt <Mathematik>BitMathematikEigentliche AbbildungMAPKonfigurationsverwaltungSoftware Development KitProblemorientierte ProgrammierspracheOnlinecommunityVersionsverwaltungPatch <Software>Installation <Informatik>GamecontrollerArithmetisches MittelWeg <Topologie>Formale SpracheFehlermeldungZahlenbereichQuaderPunktDatenverwaltungGradientDemo <Programm>ProgrammierumgebungOrdnung <Mathematik>Dienst <Informatik>ProzessautomationPunktwolkeZweiGraphische BenutzeroberflächeOffene MengeApp <Programm>FreewareSoftwareentwicklerKugelUmwandlungsenthalpieTermComputeranimation
16:19
SichtenkonzeptKnotenmengeCodeDatenverwaltungKonfigurationsraumProgrammierumgebungAnalysisProzessautomationServerInstantiierungNabel <Mathematik>OvalSelbst organisierendes SystemSpieltheorieTrojanisches Pferd <Informatik>Wurm <Informatik>InternetworkingProtokoll <Datenverarbeitungssystem>VektorraumVirtuelle MaschineRückkopplungParametersystemProdukt <Mathematik>Güte der AnpassungBitAggregatzustandPatch <Software>CodeSoftwaretestBildschirmfensterProgrammierumgebungRechenschieberNichtlinearer OperatorInstantiierungInzidenzalgebraMultiplikationsoperatorKartesische KoordinatenProgrammSoftwareentwicklerComputersicherheitVersionsverwaltungRechenwerkPhysikalisches SystemKonfigurationsverwaltungMomentenproblemServerStandardabweichungQuick-SortWeb SiteKonfiguration <Informatik>AppletSoftwareMultigraphMathematikBereichsschätzungProzessautomationProgrammbibliothekAbstandDifferenteArbeit <Physik>Prozess <Informatik>ClientDialektFramework <Informatik>Gesetz <Physik>MAPTopologieTouchscreenChatten <Kommunikation>MatchingÄußere Algebra eines ModulsWort <Informatik>Einfach zusammenhängender RaumSoftwareschwachstelleKomponententestFirewallArithmetisches MittelRechter WinkelFitnessfunktionDemoszene <Programmierung>PortscannerSystemverwaltungBitfehlerhäufigkeitComputerspielOrdnung <Mathematik>Computeranimation
24:25
SoftwarewartungComputersicherheitPhysikalisches SystemÜberschallströmungVersionsverwaltungSicherungskopieProgrammschemaZahlenbereichFrequenzSoftwareFokalpunktDatenverwaltungKonfigurationsraumServerInstantiierungRegistrierung <Bildverarbeitung>ProzessautomationGruppenoperationStetige FunktionWindows ServerSummierbarkeitComputersicherheitMathematikLokales MinimumInstantiierungMAPFolientastaturBildschirmfensterMedianwertVirtuelle MaschineKartesische KoordinatenEDV-BeratungGruppenoperationCASE <Informatik>ProgrammierumgebungMereologieRechter WinkelFokalpunktKonfigurationsraumMultiplikationEinflussgrößet-TestWeb-SeiteQuick-SortPublic-Key-KryptosystemGenerator <Informatik>Nichtlinearer OperatorDreiecksfreier GraphPhysikalisches SystemVersionsverwaltungTouchscreenMomentenproblemInformationUltraviolett-PhotoelektronenspektroskopiePatch <Software>Vollständiger VerbandServerVerschiebungsoperatorHypermediaDienst <Informatik>DatenverwaltungTaskFlächeninhaltWeb SiteBitSicherungskopiePasswortGradientDefaultVerschlingungComputerspielSoftwarewartungSoftware Development KitProzessautomationDemo <Programm>MultiplikationsoperatorTypentheorieGamecontrollerDatensatzInzidenzalgebraGrenzschichtablösungKonfigurationsverwaltungComputeranimation
32:32
RechenwerkClientLokales MinimumElektronische PublikationDemo <Programm>Inverser LimesAttributierte GrammatikTaskHill-DifferentialgleichungServerIdentitätsverwaltungPERM <Computer>SystemverwaltungHilfesystemEindringerkennungIntegritätsbereichFarbverwaltungssystemComputersicherheitSummierbarkeitProzessautomationMakrobefehlHilfesystemServerBildschirmfensterVirtuelle MaschineBootenKonfigurationsraumWechselsprungInstantiierungDifferenteFontKonfiguration <Informatik>Elektronischer ProgrammführerSkriptspracheUltraviolett-PhotoelektronenspektroskopieWeb logInternetworkingHalbleiterspeicherÜberlagerung <Mathematik>MathematikVerschlingungDatenverwaltungDemoszene <Programmierung>SchlüsselverwaltungBitVollständigkeitCASE <Informatik>Kartesische KoordinatenLambda-KalkülFunktionalPunktRadikal <Mathematik>Zentrische StreckungSchnittmengeSchlussregelTaskProdukt <Mathematik>SoftwarewartungDruckverlaufClientMonster-GruppeElektronische PublikationAssoziativgesetzBootstrap-AggregationInformationsspeicherungDemo <Programm>ProzessautomationSicherungskopieMenütechnikGraphische BenutzeroberflächeFront-End <Software>Computeranimation
40:39
Windows ServerRechenwerkInformationsmanagementKonfigurationsraumDemo <Programm>ServerVirtuelle MaschineTypentheorieDifferenteTLSPasswortBildschirmfensterLoginTelnetWeb SiteSystemverwaltungStandardabweichungFundamentalsatz der AlgebraSoftwaretestInstantiierungClientWrapper <Programmierung>ZweiElektronische PublikationApp <Programm>Gewicht <Ausgleichsrechnung>Cookie <Internet>StichprobenumfangBrowserSystemaufrufGebäude <Mathematik>Rechter WinkelPhysikalische TheorieSystemplattformSpiralePhysikalisches SystemFunktion <Mathematik>Computeranimation
44:27
Windows ServerApp <Programm>Virtuelle MaschineBildschirmfensterMathematikMultiplikationServerLeistung <Physik>ComputersicherheitTelnetVererbungshierarchieMailing-ListeSoftwaretestSelbst organisierendes SystemProzessautomationClientPortscannerDemo <Programm>KonfigurationsdatenbankGüte der AnpassungCASE <Informatik>KonfigurationsraumCodeAggregatzustandRechter WinkelGebäude <Mathematik>RechenzentrumMultiplikationsoperatorÜberlagerung <Mathematik>Computeranimation
48:14
JSONXML
Transkript: Englisch(automatisch erzeugt)
00:05
Good afternoon everyone and thanks for coming to this session. Sean and I are very excited to talk to you about OpsWorks for Chef Automate and what it's all about. Just a very quick note, I am a solution architect
00:21
at AWS and I work predominantly with the ISB partners like Chef. And Sean, who is going to be my co-presenter, he's a solution architect for Chef. So what do we expect to cover in this session? Well, hopefully we're going to give you an overview
00:42
of configuration management and how do we do infrastructure as code, right? And a lot of us at Chef Conference talk about codifying your environment with the advent of the cloud and the skill and agility that we need. It's a very important element and we're going to talk a little bit about that. We're also going to share with you how
01:02
AWS can help with your journey in configuration management, mainly to help save time and hopefully, no surprises as mentioned in the keynote, right? IT with no drama. And lastly, discover some of the best practices of how to set up the infrastructure,
01:21
who's going to create configurations and applications of your environment, leveraging some of this infrastructure as code technology. So a bit of background. Moving to the cloud in AWS allows provisioning in many different new ways. In the old days, infrastructure has been fairly static
01:44
and I've been IT for quite over two decades now and I remember I used to manage data center build-outs and it was a lot of effort to support a business unit's requirements. It could take anywhere from six months very optimistically up to 18 to 24 months
02:02
sometimes to get the environment required and that includes all the approvals, includes getting the right servers and God forbid, you get the wrong SKU, you got to ship it back and wait for it to come back. Today, you could scale a whole infrastructure in minutes to support a major bank and if you want to go global,
02:22
for example, you could go global in minutes too and people have done that. So scale can be achieved without very complicated capacity planning and management and that itself used to have a whole room of people just doing capacity planning in a traditional large enterprise.
02:41
Infrastructure can also switch on the dime. So in the old days, if you buy the wrong server types, wrong processors, wrong memory, wrong storage, it's kind of a change order and you probably have to write off some of those investments and get your vendor
03:02
to send you new infrastructure. Today, you could pivot on a dime by saying, hey, this is wrong SKU, let me try this one and you can then do all your performance testing and load testing to see if that's the right server configuration for the workload that you're trying to run and it provides a very fast-moving, action-orientated
03:20
kind of business work environment and makes IT job a lot more exciting, but no, there might be challenges and that's why we talk about configuration management. What is it typically? I mean, this term has been around for a long time. It's really maintaining the configuration of your environment, but for purposes of today's talk,
03:42
we want to say that it's a practice which we use code, right, to define and maintain the state of both your new and your existing resources throughout the entire lifecycle from cradle to grave of the environment. And why do we need it?
04:01
Well, if you think about it, I kind of gave a little bit of a preview earlier. Wouldn't it be nice if you have a complex environment, especially if you're spanked across multiple geos, time zones, to have a single place where all your configuration is stored for your enterprise apps and systems,
04:22
and then you can spin up blank resources anytime you need to, right, and they work perfectly every time. Wouldn't that be a IT manager's dream, right? Make changes, single place, and propagate everywhere. So change once, propagate everywhere, right?
04:41
That's kind of a great thing. And also, traditionally in IT, there's always this concept of having segregation between death, stage, test, and also production, right? And depending on the complexity of the environment, they might skip a few. Like some web-based companies,
05:01
they literally go from death to implementation and do AB testing on the fly. We've seen that nowadays. But traditionally in the old days, there's always this period where you quarantine your new apps or new code, right? Wouldn't it be nice if I had the ability to create and mimic an entire environment for testing?
05:22
And I'll give you a great example. Due to the advent of IT security, and we all heard in the keynote things like shell shock, hardly want to cry. There's a lot of security concerns nowadays, and your company execs can go to jail
05:41
if they fail some of these audits, like surveillance ops 344, for example. So sometimes they have a requirement to do a testing, a pen test of the environment, you know, periodically. Could be three months, six months, depending on the industry you're in. In the old days, you had to maintain pretty much a code site where it mirrors all the same systems
06:03
you have in production, and then you allow the pen testers, or the auditors, or the compliance officers to go and review the environment because you don't want to kind of create issues pen testing a production environment where you have live customers. But that was expensive.
06:22
Nowadays, with the cloud, you can actually, because you have the whole configuration of your production environment all codified, you can spin up on the fly, entire right for life environment, allow your reviewers or pen testers, whichever they are, to go out and survey and test the environment. If there's any changes documented,
06:43
go back and change your code again, and guess what? You have now a newly compliant environment, and you guarantee it's perfect every time you run it. So that's kind of one of the great things about the advent of the cloud, is it creates this level of agility because even if you were not, you know,
07:00
cloud and you were doing kind of like hosted services, you still need the underlying infrastructure to support it. So once your environment is spun down, those systems sit idle. Whereas in the cloud, you give it back, and you bring it up again when you need it next time. So that's a great use case that I've seen a lot, especially in the financial or heavily regulated industries.
07:23
So moving on, some of the configuration assets that people have to deal with include things like compute resources, operating systems and host configuration, application configuration. And some examples of compute, I mean this is not a comprehensive list,
07:42
but just to give you an idea, that's why there's dot dot dot at the bottom, EC2, compute, match services, you know, for on-prem. You could have a whole bunch of operating system configuration files, whether it's host file for Unix or a Windows machine, down to a registry key, right?
08:01
Down to packages, file systems, those are examples of OS and host configurations. And most importantly also the apps configuration, where you might have dependencies that you need to take care of, because God forbid you updated the app and you forgot to update the dependency, it doesn't run, right?
08:20
Service restorations, credentials, all these things can be part of configuration management sphere of control. And also bear in mind, the fact that we're running at cloud speed nowadays and at high scale, doesn't mean that it configures itself, right? There's a need for us to package updates,
08:44
testing of new software or installations, configurations, environments, specific changes, I mean there's a whole bunch of things that we need to do. And on top of that, we need to be on top of how our environment runs, because we all want to go home at night, right? We don't want our patient duty to go off, we want to have a good night's sleep, right?
09:01
Especially on a holiday, that's where things usually go wrong, right? And we would like to be able to be a lot faster in the way we handle the environment, right? Ongoing management also requires proper tooling, right? And we're all here at ChefConf because we all want to learn from each other
09:21
and see what the industry is bubbling up in terms of latest and greatest innovations in this area. And you heard from Keynote some of the great things that Chef is bringing to the table and some of the aspirational stuff that showed us a very cool demo this morning, which I'm sure in the near future will become a product.
09:43
And so some of these things, examples of things that you have to deal with is Vio's configuration, right? Across, you know, different stages of production of prod or dev, installing packages or even doing an LDAP config, or maybe removing SSH for some users
10:01
that have left the company or are no longer on the team, right? All these are examples of continuing changes. So the question now is, what tools can we use to tackle this challenge? Well, surprise, surprise, we're in ChefConf, so I'd like to bring on Sean to talk about Chef. Thanks, Doug.
10:20
Hello, everyone. My name is Sean Carolyn. I live here in Austin, Texas, and I'm a solutions architect with Chef Software. A couple questions before we start. Who's first time in Texas? Okay, cool. Who's first time in Austin? First time at ChefConf? Wow, a lot of hands. Welcome.
10:41
It's not often I get 1,200 friends coming to town, so welcome to Austin. We're glad you're here. Let's talk a bit about Chef Automate. You saw some this morning. You probably know a little bit about it. What is Chef Automate? So Chef Automate is our commercial offering. You all know we have Open Source Chef,
11:01
which you can download. And just out of curiosity, who's using Open Source Chef today? Who's using Open Source Chef in production? All right, great. Who's using Chef Automate in production? All right, that's probably why you're here. You'd like to know more about it. Chef Automate works with your Open Source Chef server.
11:22
So the Chef server that powers Chef Automate, it's non-different than the Open Source one that our community uses. We're very strong believers in Open Source, and we're going to continue to support Open Source. That way you don't have to feel locked in. You can use Chef. We prefer you pay us for it. We would love that. So I'm going to show you some features
11:40
that will explain some of the benefits of Chef Automate. As always, you can use it to consistently install, configure, manage, deploy your infrastructure and apps. Chef is very good at that. But we have some new features that you might not have been aware before that Chef can also do.
12:00
Those features are things like compliance. So compliance scans, you can scan and remediate for audit and compliance issues. We also have a nice graphical view, so a GUI dashboard. You can do alerts. And we also have a workflow tool, so CI CD. You want to move fast but safe.
12:21
So when you build a car, we expect a modern car to have things like airbags, seat belts, safety features. And the same thing applies to delivering software at speed. If you want to deliver features and bug fixes quickly but safely, you've got to have a lot of testing and safety measures in place to achieve velocity
12:42
while avoiding risk. This will be review for many of you, but these are a couple of examples of Chef recipes. On the left, you have a Windows recipe, so we're setting up IIS. And on the right, we have a very similar recipe for configuring Apache on a Linux server.
13:02
So the Chef DSL, or domain-specific language, works equally well on Windows or Linux, even Solaris and AIX, if you have those flavors of OS. Mac OS, too. Some folks configure their laptops using Chef recipes and cookbooks.
13:22
So the basic idea is you collect a bunch of resources together, much like Lego building blocks or Tinker Toys, put them in the right configuration, hand that code over to the Chef client, and let the client do the work for you. So we want to take the boring work and give that to the computers.
13:41
Let the robots do what they're good at. Free up your humans to do more interesting tasks. Chef uses a pull architecture. So if you're fairly new to Chef, we have an agent running on every single machine, and that agent, most of the time, is sort of quietly waiting for new instructions.
14:02
But every half hour, the Chef client wakes up and it calls home and says, hello, Chef server, do you have any new instructions for me? At that point, if there are any new policies or recipes, the client will pull those down and apply them on the local node. So every half hour, your machines get a refresh
14:21
or a check to make sure that everything you said should be a certain way on the box is put that way. If Chef can't fix the problem, if there's some sort of configuration drift, it will throw an error and optionally alert you. So great for managing small or large numbers of machines.
14:41
And it's continuous, right? So you can run the Chef client every 30 minutes, or even more often if you wanted to. Chef client only makes changes when it finds something wrong or something that needs to be fixed. So with Chef Automate, you also get support for community tools.
15:02
The Chef DK is one of those tools. That's our Chef development kit. And the Chef development kit comes with a lot of great tools for testing. So testing your code, testing machines that you built with that code, testing for security, QA purposes, all that you can do with what's included in the Chef DK.
15:23
InSpec is one of those tools. So you might have seen some of the InSpec tracks. If you don't, take a look at InSpec. InSpec is for compliance what Chef is for configuration management. So we say infrastructure is code. Now we also have compliance as code.
15:42
So you can describe all of your security, audit, and even QA requirements using InSpec. We have a language now that is both machine and human readable. So InSpec recipes can be used to audit everything you built with Chef. Now, the question may be, why do I need to have a separate auditor?
16:01
If the Chef client ran and it didn't error out, doesn't that mean that everything's okay? Not exactly. It's akin to saying that, yes, I always get A's on my homework. I have a daughter, and she's working to get good grades. I know I get A's every time because I grade the papers myself.
16:21
Right? This is what you might call a conflict of interest if you ask the lawyer for some advice on that. You have to have a separate auditor come in to verify that what was built was actually correct. So there's a difference between, hey, Chef ran correctly, and the machine that Chef built is meeting these standards.
16:43
Does that make sense? So that's where InSpec fits in. Knife. You might notice a cooking theme. You are here at ChefConf, so if you don't like food-related things, I'm sorry. I'll just keep talking until I hear your stomachs rumbling. Fortunately, you've had some lunch. Anyone get to try the barbecue yet?
17:01
Here? Okay. There's lots of great places, walking distance. Very hard not to find barbecue in Austin, Texas. If you want to wait at Franklin Barbecue, that's sort of the most famous one. Have you heard of Franklin? Yeah, but you've got to get up at like 4 in the morning to do it, or pay someone to do it for you.
17:22
Chef client, of course, we talked about. That is the software agent that lives on every machine. And then we have a huge library of community cookbooks and recipes. So I like this because I'm lazy. I was a sysadmin, and I don't like to do work that is unnecessary or that someone else has already done. Let's say you needed to install Java
17:41
on a Windows or a Linux machine. I could certainly write a new Chef recipe to do that, but the good news is the Java cookbook is great. It's already been written. It's well maintained. It will install nearly any flavor of Java that you need with all of your options that you could imagine are available to you.
18:02
Why would I go reinvent the wheel? So many, many cookbooks are available on our supermarket site. If you just search for Chef supermarket, you can find it. And all sorts of standard application frameworks, different packages are available there. And then finally, Test Kitchen, which
18:22
is my very favorite tool. Who's heard of Test Kitchen? Quick show of hands. OK, good. That's more than it was last year. Who's using Test Kitchen? All right, nice. Isn't that neat? I wish I'd have had Test Kitchen 10 years ago. It would have saved me a lot of time and trouble. Spin up a machine very quickly, write some code,
18:42
and test it right then and there on that machine. And that machine looks a lot like your production machine. And if you use the same Chef cookbook to build the Test Kitchen instance that you use in production, you have a lot of confidence that the changes you make inside your test environment are going to be OK when you push them out to production.
19:02
So support for all these tools is included with Chef Automate. You get visibility into the state of your nodes. So you may have seen some of these graphs in this morning's demos. Nice visibility. We have a CI CD pipeline. You can simply drop a Chef cookbook in one end, and immediately you get things like code review.
19:23
It's amazing how code review is not really a thing in the ops world so much. Developers understand this. They're pair programming and doing all this stuff. But the idea of treating code or infrastructure as code for a lot of organizations is fairly new.
19:41
When I was a sysadmin, my idea of testing was the monitoring light is green, and I'm going home because nothing's broken. That was our test, right? That's not enough, especially in 2017. If you're describing your infrastructure as code, you can use all of the things that the application world
20:02
has used for many years, like unit tests, lint tests, syntax tests, and, of course, simple code reviews. One of the easiest ways to decrease risk and increase safety is to have another pair of eyes look at that code before you. Does this look OK?
20:21
Should we push this change or not? So all that's included in the CI CD pipeline of workflow. And then, of course, compliance. You can run scans, compliance scans, on every single machine in every environment in your infrastructure every time Chef runs. Now, think about it for just a moment,
20:40
how powerful that is. Anyone remember that little security incident we had about a week ago? Want to cry? It didn't make anyone want to cry? Any ops folks in the room? I have another slide with the big ransomware window on it, and it's kind of a trigger moment for some people. They get really angry.
21:02
That kept me up all weekend. Does anyone know when the patch for Want to Cry came out? March. Yeah. And what if you only patch once a quarter? That's a problem, right? If you patched in February, then the patch for Want to Cry came out in March. That's just too long.
21:21
You can't wait three months to patch your systems anymore, not in this day and age when so many machines are exposed to the internet and may potentially have vulnerabilities. And even if your machines are reasonably secure, someone else's machine could come infect your machine. What was the vector for Want to Cry?
21:41
SMB protocol 1, SMB version 1. So someone out there had port 139 and port 445 exposed to the internet. It only takes one, right? Once that worm or trojan gets behind the firewall, it's game over usually, because most organizations
22:00
have that egg shell method of security. Very hard outside, squishy middle. So instead of patching once a quarter, what if you could patch every day? Or what if you could scan every half hour and know, within a half hour, what are my patch levels? So we call this continuous compliance.
22:22
We want to, at any moment in time, know exactly what the state of all our machines are. So that's a bit of overview and background of Chef Automate itself. Now we're going to talk a little bit about AWS OpsWorks and what managed Chef Automate looks like.
22:43
So I'm going to hand it back over to Doug. Thank you, Sean. So first, he makes us hungry. We're talking about barbecue, and then he makes us want to cry. So here I'm going to talk about AWS OpsWorks for Chef Automate.
23:00
You heard this morning's keynote. How many of you were in the keynote this morning and heard Scott's talk on that? So this is basically, we hope, is the place where customers would go for configuration management on AWS. Can I just have a quick show of hands? How many of you are actually AWS users? Great.
23:20
Thank you. Good amount. I know a lot of customers have different variants, and you have a lot of on-prem as well. But the good thing is, with OpsWorks, Chef Automate, you can actually not just manage AWS. You can manage on-prem as well. It's a fully managed Chef Automate server. And it's a partnership.
23:41
It's a deep partnership between Chef and AWS. And the product that we ship is called OpsWorks. So the question is, how do you create an AWS-matched Chef server? It's basically just a couple of clicks.
24:00
And you can typically get it up and running within 10 minutes. There's not a lot of parameters you need to set up. So here on the screen, you can see. You give it a name for your Chef Automate. You select a region. At the moment, we support three regions, two in US and one in EMEA.
24:21
We will add more based on customer feedback and demand. And then you choose the instance size that you want to run. And at the bottom, we have some little helpers to give you an idea of how many nodes it will support based on the machine size and type that you choose.
24:40
From there, what else do you need to set up? Well, setting up a maintenance window so you know when you want the maintenance to happen. Remember, as Sean mentioned, you get automatic security updates for Chef Automate. You also get automatic Chef version upgrades as well.
25:02
So both of those are taken care of. And you decide when is your window. For example, you can say that I want to have a once a week maximum up to an hour. And you set it up, and then the next time you need to revisit this page is if you want to make a change to it. So what else is left for you to do?
25:20
Back up. What else can you set up? Well, you can set up your backups and daily, weekly backups. This is an incremental backup. So it's non-disruptive.
25:41
And it backs up things like your cookbook recipes, your roles, you collected node information across your enterprise, and you decide how often you want to back up. And you also decide how many generations of the backup you like to keep. Most customers typically choose around 10 versions,
26:02
but it's really up to you in how you want to configure it. The maximum is 30 based on the system. What else is there to do? Well, nothing much actually. It's a fully managed, configuration management is a mouthful for a service.
26:20
It does the backups for you. It does the updates for you. It does the Chef version upgrades as well. All you have to do is focus on writing cookbooks and focus on operating the environment and focus on not getting paged. What other benefits are there from this service?
26:42
Well, it allows automatic instance to Chef server restoration. And as Sean mentioned earlier, there's things like people have used knives, like kitchen sink, all those things that you guys use. It's all part of this instance.
27:03
You just run it. You can secure and scale with auto-scaling groups. There's no separate licensing fee. You pay as you go. I'm not going to talk too much about it because it was covered a lot in the keynote this morning. And it supports both EC2 and on-prem and API endpoints for auto-scaling and management.
27:24
And most importantly, it also includes all the best practices and AWS support and guidance as well because this is an AWS supported offering. What can you use this for? Well, examples are bootstrapping EC2 instances
27:41
with correct configurations, not update your running instances, assure that instances comply to pre-existing policies, automate auto-scaling applications. My favorite feature is the compliance feature with audit scans,
28:02
and up to every 30 minutes if you like to. But the main thing is then we could avoid some of those painful moments, like Sean gave a great example of your quality patch cycles. And if an incident came outside the window, I mean, you might be impacted. So I really like this continuous compliance.
28:21
So with that, I'd like to hand over back to Sean, and he's going to give you a nice walk-through and a live demo. Thanks, Doug. Let's do a demo. Text is a little small.
28:41
Let me see if I can make it bigger.
29:02
There we go. All right, back row. How good are your eyes? Can you see it? I make it bigger. Anyone bring any binoculars? OK. Now it's behaving.
29:21
All right. So before we jump into here, let's take a look at the control panel. You might want to spin one of these up yourself. And this is a thing you can do at home. You can do it right here. I know a bunch of you have AWS accounts, so it's really quite easy. Just go into your control panel.
29:41
Go into the AWS control panel. And then you're going to scroll down here and look for OpsWorks. OK, it's right under here under Management Tools. I actually spun this up right before we started. As you can see, it's already ready. Now, anyone in the room been using Chef more than four
30:02
or five years? A couple seasoned veterans. What was it like setting Chef Server up five years ago? It was flawless. You're too kind. You're also a terrible liar. It was hard. We used to send Consultant on site for a week to get all of the bits and pieces in place
30:22
and get the customer happy with the Chef Server. Now it's gotten much, much easier, fortunately. You can install it yourself. What's better than automation, automating your boring, repetitive tasks? Anyone know? Having someone else do it for you. So in this case, we're having Amazon.
30:42
The OpsWorks folks have built this push button easy, easy tool to use. So let me just show you another example. We'll spin one more up so you can see how easy it is. I just hit Create Server.
31:02
We'll just call it B. Pick your region. We support three. Now, this is just the region that the automate server sits in. You can support machines anywhere in Amazon or on prem. So anything that can reach this machine, you can manage it with Chef.
31:21
Pick your size, depending on how many nodes you plan to converge against this machine. We're going to hit Next. Now, you can connect by SSH if you want, or you don't even have to log on at all. I'm going to use my key. The rest of these can be left default, or you can change them if you wish.
31:43
I'm just going to leave all the defaults and hit Launch. And that's it. Go get some coffee. Grab a voodoo donut. And then come back, and you'll have a Chef automate server ready to go. We even give you links for your username and password. You can download your credentials here.
32:01
And then what we call the starter kit. So that contains your Chef key, your private key that you can use with the knife tool. So the one I spun up earlier, I actually went ahead and did that. And you can see even in just 20 minutes,
32:20
I'm already able to interact with the API of this Chef automate server. So it makes it also very easy to restore from backup to migrate if you need to build another one of these and resize it. All that stuff is a lot easier than it used to be. So that's the back end. And this truly is an Amazon product.
32:40
Amazon owns this with our help. We help them to build it. But if you have an AWS account, you can go ahead and use this and pay by the hour for Chef. So you've never been able to do that before today. But now you can do that. So let's see what you can do when you actually have automate stood up.
33:01
We know about the backups and maintenance and stuff. This is a knife command that I put together. It's quite a long command. You can store some of this in a file or inside of a role. And this is using the knife command to stand up a new instance. So I'm going to go ahead and run this in a terminal.
33:27
On for its Wi-Fi is always fun. Come on. There it goes. We need a bigger font here too, I think.
33:42
Settings looks like a good option. I've got a nice 30 point font.
34:01
You know what? I may go ahead and jump on to a different Wi-Fi here if this continues to be laggy. Someone sing the Jeopardy song for me. Of course, this would happen during a live demo.
34:28
What do you think? Should I reboot it? That's what you do with Windows machines, right? Speaking of reboots, Chef handles the Windows reboot rather gracefully now. That didn't used to be the case. But if you're configuring a Windows machine
34:41
and you require a reboot, Chef client can pick up right where it left off after the reboot, which is a super handy feature. We're going to break out the old task manager. Oh, here we go.
35:02
Kill it with fire. Hey, there it is. I'll take broken demos for 400, Alex. This doesn't get better. I'm going to have to sing for you.
35:21
All right. We're back in business. Where is my console? PowerShell. This machine is really going crazy.
35:46
Yeah, I think we're going to reboot it. I blame Chrome. Darn you, Chrome. Eating all my memory.
36:05
All right, I'll kick off a reboot, and then I'll tell you a bedtime story while we wait for it, if I can get the start menu to show up. All right, heck with it. We're going to use the nuclear option.
36:27
You know, in the old days, this would require a drive down to the data center. Thankfully, we don't have to do that anymore. Oh, no. Well, hopefully we'll get you to the new days, right? The promised land.
36:45
Oh, there's my honeypot for WannaCry. OK, we're going to reboot you. Yeah. Indeed, if it's not plugged into the internet, it's secure. OK, while that's rebooting, let's take a little tour
37:02
of some of the things you might not have known that you can do with OpsWorks for Chef Automate. So it is the same Chef Automate that you get if you download it yourself and install it, with some cool extra features. We've already mentioned backups and maintenance.
37:21
But my favorite thing are the new API endpoints that they created. So let's go ahead and dive into the docs for this. Just Google it.
37:48
OK, so look over here. These are API endpoints. You can hit them with the command line, with the EC2 command line tools. You can also build these things into things like Lambda functions.
38:01
One really neat use case there is auto-scaling. So traditionally, if you wanted to use Chef and auto-scale your application, you'd have to, first of all, spin up the new EC2 instances. You'd need to then somehow bootstrap the instance to the Chef server and then have that instance
38:21
configure itself. Or maybe you have the instance pre-baked and you're spinning it up and then running Chef at the end to just put the last mile of config on it. Now, when you scale down, you need to undo all that and then delete the node from your Chef server to keep it kind of cleaned up. In the past, that was a bit of a hassle.
38:40
To bootstrap a node, you need to have keys. You need to run the knife command. It can be a bit of a pain to do that with auto-scaling because you've got to do some magic to get the keys in the right place. So what they've done is create an API endpoint where you don't need to log on to the server at all, really. You can actually just register the machine
39:04
directly with the Chef server using the API endpoint. Not what they used to be. There it is. Associate node. That's what I was looking for. So what does it do? It associates a new node with the Chef server. So it's very similar to the knife bootstrap,
39:22
but you avoid the trouble of having to schlep those keys around and worry about how to make this work. You simply hit that API endpoint, and then boom. The machine appears in your Chef server. You can also automate the removal of the machine from your Chef server so that not only you keep it clean, but you also can not get billed for something
39:42
that you're not using. So scaling up and scaling down. There's a great blog post, too. So we'll just pull that up here in case anyone wants it.
40:05
I don't have the exact link, but it's in the AWS blog. It might be here. Some great tutorials on how to get started. So there's lots of help available. If you want to take this for a spin, I would start with the Quick Start Guide.
40:22
That's a good way to get started. And they also have some user data scripts that you can use. Just drop those in there, and then as soon as you spin up your instance, it appears in your Chef server. You can start running your own or community cookbooks on it right away. Let's hop back over to our demo and see if it's decided to behave itself now.
40:44
Wake up, demo. OK.
41:07
OK, cool. So we've got a demo site here. It's a Windows site. We normally demo with Linux. I decided to create a demo with Windows
41:22
just to show that Chef works equally well on either platform, except when you have to reboot. But we work with that. Windows is a different creature. It's a different beast than Linux. And it requires a different type of care and feeding. And you can do that with Chef.
41:45
Yes. Just reboot it. Have you rebooted it? All right. So let's take a look at our machines. Windows Server 1, 2, and 3. We built these with the Chef recipe. I can look at every step of the build. If anything went wrong, I can easily pinpoint
42:02
where the problems were. So I can see one failed run here that Chef had a failed run, but then it recovered. So that's kind of nice. Maybe that might save you a late night call or having to get up and fix this thing.
42:21
So all is well with this node. We can take a look at it in a browser if we want.
42:41
And this sample site is called Fourth Coffee. And they apparently sell Chef cookies. It's a pretty standard stack. It's a .NET app with IIS. This is the cookbook that built it. If I just open that here.
43:01
I made a little wrapper cookbook called My Fourth Coffee. And we'll go into the recipes. So this should look familiar if you've ever taken Chef fundamentals or worked with Chef. Pretty standard stuff.
43:21
Let's do a little demo of configuration drift. Anyone ever, any sysadmins in the room? Ops folks? Do you love it when people change things on your machines after you built them and handed them over? Yeah. And then they get mad at you and say, why does this file keep changing back? I just put it that way. And you say, well, that's because Chef did it.
43:42
It was meant to do that for you. So let's do that now. Let's go ahead and be the naughty user. We're going to go ahead and turn on Telnet server and Telnet client in a test node. So we're going to get to see Test Kitchen as well.
44:01
You can simply do kitchen login. And that's going to give me a login to my test instance. On Linux machines, this will just drop you into SSH. And on a Windows machine, you get RDP. So I just need to grab the password here.
44:29
All right. So here we are on another Windows machine. This is actually running that Fourth Coffee app. And we're going to go ahead and manually make a change on this machine.
44:43
So I want to add roles and features. I totally need Telnet because I think it's 1995. You'd be surprised, actually. Maybe you're not surprised how much Telnet there still is out there.
45:02
OK. Sean's been a bad boy. I installed Telnet client and Telnet server on this machine. So while that runs, we'll just go ahead and close out.
45:20
Now, with Test Kitchen, I can do Kitchen List. I can see my machine. It's NEC2 as well. So this is really great for testing. If you think about it, what do these things cost per hour? $0.20, right? Something like that. $10 or $1 or $2, if it's one of those super huge C8 XLs
45:43
or whatever they're called. Let's go ahead and do a Kitchen Converge. Now, Test Kitchen is going to run. It's only going to fix things that it finds that are wrong. So ideally, we should see Telnet getting turned off again.
46:06
And so ideally, you can educate that user and say, hey, you know, if you need Telnet, let's talk. We can figure out how to turn it on for you with a Chef recipe. Security folks might not be too happy with that, but at least you've captured it as code, right?
46:22
Don't build snowflakes. If you think you ever might need to do something with the server more than once, put it in a Chef recipe. So you can see most of these flew by pretty fast. They all say up to date. That means that the resource is already in the right state.
46:40
It means Chef doesn't have to touch it. Now, this stuff here is DSC. Has anyone heard of DSC? Yeah, Desired State Configuration. Another benefit to using Chef is that we plug into DSC really nicely. And so Telnet is now turned off. So simply keeping this machine in the right state,
47:03
that's one very easy and powerful use case for Chef. Here's another one. If I want to maintain a good security posture, I need to turn off things like SSL v3. So you might have seen this in the demo this morning. This is a very similar thing with the Windows machine.
47:20
Are we at time? OK. Scan within spec, remediate with Chef. And I won't show that right now, but it's quite easy to do. In this case, I would simply run a recipe here that's going to turn off all the registry keys for the bad SSL and remediate my machine that way.
47:44
One last thing I want to cover before we wrap up. This supports multiple Chef servers, multiple data centers, and multiple organizations. So if you have distributed environments, you can use them and manage them all in one place using Chef Automate.
48:01
So I think that's about all we have for time. We might have a minute or two for questions. No? Are we done? Come see us up front if you have questions, and thank you for your time. Thanks, everyone.