integrating rudder and cfengine mission portal
TRANSCRIPT
Normation – Tous droits réservésnormation.com
Integrating Rudder and CFEngine Mission Portal
Nicolas CHARLES [email protected]@nico_charles
Normation – Tous droits réservésnormation.com
What's in a name ?
Rudderis an easy to use, web-driven, role-based
solution for IT Infrastructure Automation
& Compliance.https://www.rudder-project.org/site/about/
CFEngine Mission Portalis an IT automation platform that uses a model-based
approach to manage your infrastructure, and
applications at WebScale while providing best-in-class
scalability, security, enterprise-wide visibility and
control.https://docs.cfengine.com/lts/enterprise-cfengine-guide.html
Normation – Tous droits réservésnormation.com
Using both together ?
What if we combined Rudder and Mission Portal ?
Normation – Tous droits réservésnormation.com
Goal
Automate without coding
Easy classification
Complete inventoryCompliance
List available software updates
Autolearning monitoring
Reports on files changes
Data isolation
Different level of reports
Change requests
Normation – Tous droits réservésnormation.com
Rudder principles
New node
Managed nodes
2. See Nodes inventory3. Create nodes groups
(static, dynamic)
4. Configure rules ongroups 7. Check rules reports
Rudder Web Interface
1. Inventory
5. GenerateCFEngine policies 6. Reports
Normation – Tous droits réservésnormation.com
Rudder architecture
Rudder server
Node Node Node
TCP (port 5309)Files metadataFiles content
ACL
TCP (ports 443 et 514)
Reports + Inventories
Node
Inventory+ Reports
Configurationpolicy
Normation – Tous droits réservésnormation.com
CFEngine Architecture
Mission Portal
Node Node Node
TCP (port 5308)Files metadataFiles content
Reports from nodes (promises outcome, packages, changes,
monitoring)
Node
Normation – Tous droits réservésnormation.com
Combining both solutions
● Both architectures are very similar
● A central point with policies and reports
● Nodes connects to fetch their policies, and apply them
● Use the Mission Portal as a Rudder relay
● Some adaptation in the built-in CFEngine HTTPd server is
necessary
● Transcript the Mission Portal promises into Rudder Techniques
Normation – Tous droits réservésnormation.com
Resulting architecture
Mission Portal
Node Node Node
TCP (port 5308)Files metadataFiles content
Reports from nodes (promises outcome, packages, changes,
monitoring)ACLs
Node
Rudder server
Inventory+ Reports TCP
(ports 443 et 514)Reports + Inventories
Inventory+ Reports
Normation – Tous droits réservésnormation.com
DEMO
Normation – Tous droits réservésnormation.com
More details
Some adaptations/configurations were needed !
● Create a role mission-portal in Rudder
● Create Techniques out of the masterfiles Mission Portal
management
● Adapt authorization to accept data queries on nodes
● Adapt the HTTPS virtualhost on mission portal to accept
inventories
Normation – Tous droits réservésnormation.com
More details
Setup is pretty standard
● Install Rudder 3.2
● Install a CFEngine Hub, bootstrap it to itself, and install rudder-
agent
● Accept inventory in Rudder, convert the Hub to a Relay
● Adapt virtualhost on CFEngine Hub
Normation – Tous droits réservésnormation.com
Next steps
What remains to be done :
● Automatic node classification on Mission Portal based on Rudder
Group + tags (in progress)
● Correlation of reports (external dashboard?)
Surely a ton of others improvement...
Normation – Tous droits réservésnormation.com
Questions ?
Nicolas CHARLES [email protected]@nico_charles