-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.xml
687 lines (509 loc) · 41.9 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>3DSIM Software Engineering</title>
<link>https://3dsim.github.io/</link>
<description>Recent content on 3DSIM Software Engineering</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<copyright>All rights reserved - 2016</copyright>
<lastBuildDate>Thu, 29 Sep 2016 06:16:24 -0600</lastBuildDate>
<atom:link href="https://3dsim.github.io/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Securing Jenkins with Auth0</title>
<link>https://3dsim.github.io/securing-jenkins-with-auth0/</link>
<pubDate>Thu, 29 Sep 2016 06:16:24 -0600</pubDate>
<guid>https://3dsim.github.io/securing-jenkins-with-auth0/</guid>
<description>
<p><img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/jenkins.png" alt="Jenkins" />
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/auth0.png" alt="Auth0" /></p>
<p>We recently (yesterday) switched our Jenkins authentication from the Github authentication plugin to Auth0. We had a few reasons for this&hellip;</p>
<ul>
<li>We wanted more fine grained control over permissions</li>
<li>We didn&rsquo;t want everyone with Github access to have Jenkins access</li>
<li>We eventually want single sign-on with other 3DSIM applications</li>
<li>We were already using Auth0 for other things</li>
</ul>
<p>Bottom line. We switched. The process had some minor quirks, so figured I&rsquo;d write a guide for my future self to follow next time I have to set this up&hellip;</p>
<h2 id="configure-auth0:fbd9d0e77cb5c8a95f7dee502da3a88c">Configure Auth0</h2>
<p>Credit goes to <a href="http://stackoverflow.com/questions/33789104/jenkins-integration-with-auth0">this question</a> on stackoverflow for getting me headed in the right direction. Here are the steps I took:</p>
<ul>
<li>Before starting, make sure you have at least one user configured in Auth0.<br /></li>
<li><p>Create a new client in Auth0 named &ldquo;Jenkins&rdquo;. (I chose &ldquo;regular web app&rdquo; for the type, but it doesn&rsquo;t really matter.)
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/auth0-create-client.png" alt="Create client" /></p></li>
<li><p>After creating the client, scroll down on the settings tab to the &ldquo;Allowed Callback URLs section&rdquo; and add a callback in this form: <code>&lt;your jenkins url&gt;/securityRealm/finishLogin</code>
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/allowed-callback-urls.png" alt="Add callback url" /></p></li>
<li><p>Scroll all the way down in settings tab and click on &ldquo;Show Advanced Settings&rdquo;, then select the &ldquo;Endpoints&rdquo; tab
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/saml-metadata-url.png" alt="SAML Metadata URL" /></p></li>
<li><p>Copy the &ldquo;SAML Metadata URL&rdquo; and open a new browser window, paste it, and hit enter. An XML file should be downloaded. Save it for when we configure Jenkins.</p></li>
<li><p>Scroll back to the top of the client configuration page and select the &ldquo;Addons&rdquo; tab.</p></li>
<li><p>Turn on the &ldquo;SAML2 Web App&rdquo; addon.
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/addons.png" alt="Addons" /></p></li>
<li><p>In the configuration box for the addon, make sure and set the <code>recipient</code> and <code>audience</code> fields to your Jenkins callback URL.
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/saml-config.png" alt="SAML Config" /></p></li>
<li><p>After saving (bottom of the page), click on the &ldquo;Debug&rdquo; button. You will be asked to login. Login using one of your test user accounts. If the configuration is successful you should see a page that looks like this:
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/success.png" alt="Success" /></p></li>
</ul>
<h2 id="configure-jenkins:fbd9d0e77cb5c8a95f7dee502da3a88c">Configure Jenkins</h2>
<h3 id="jenkins-plugins:fbd9d0e77cb5c8a95f7dee502da3a88c">Jenkins Plugins</h3>
<ul>
<li>Install the SAML Plugin: <a href="https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin">https://wiki.jenkins-ci.org/display/JENKINS/SAML+Plugin</a></li>
<li>Install the Role Strategy Plugin: <a href="https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin">https://wiki.jenkins-ci.org/display/JENKINS/Role+Strategy+Plugin</a></li>
</ul>
<h3 id="configure-jenkins-global-security:fbd9d0e77cb5c8a95f7dee502da3a88c">Configure Jenkins global security</h3>
<ul>
<li>Go to &ldquo;Manage Jenkins&rdquo; -&gt; &ldquo;Configure Global Security&rdquo;
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/configure-global-security.png" alt="Configure global security" /></li>
<li>Check the &ldquo;Enable security&rdquo; checkbox</li>
<li>Select &ldquo;SAML 2.0&rdquo; radio button</li>
<li>Paste XML from the Auth0 metadata URL downloaded previously into the &ldquo;IdP Metadata&rdquo; field</li>
<li>(Optional) Add the field you want to use for the username. We are using &ldquo;<a href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress&quot;</a></li>
<li>Under &ldquo;Authorization&rdquo;, choose &ldquo;Role-Based Strategy&rdquo;</li>
<li>Click &ldquo;Save&rdquo;</li>
</ul>
<h3 id="manage-and-assign-roles-for-jenkins-auth0-interaction:fbd9d0e77cb5c8a95f7dee502da3a88c">Manage and Assign Roles for Jenkins/Auth0 interaction</h3>
<ul>
<li>Go to &ldquo;Manage Jenkins&rdquo; -&gt; &ldquo;Manage and Assign Roles&rdquo; -&gt; &ldquo;Manage Roles&rdquo;</li>
<li>Add any roles that makes sense for your use case and assign them permissions. In our case we added an &ldquo;admin&rdquo; and
&ldquo;authenticated&rdquo; role. (Note that roles are different from groups. In the default setup, anyone who logs in via Auth0 will be assigned to an &ldquo;authenticated&rdquo; <strong>group</strong>. If you want to use more specialized groups in Auth0, you&rsquo;ll need to add the Auth0 Authorization Extension. See <a href="https://auth0.com/docs/extensions/authorization-extension.">https://auth0.com/docs/extensions/authorization-extension.</a>)</li>
<li>To match a role to an Auth0 group (remember they are different), navigate to &ldquo;Manage Jenkins&rdquo; -&gt; &ldquo;Manage and Assign Roles&rdquo; -&gt; &ldquo;Assign Roles&rdquo;
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/assign-roles.png" alt="Assign Roles" /></li>
<li>Here you can associate Auth0 groups/users (left column) with roles (columns 2+) by clicking checkboxes.<br /></li>
<li>We added the <code>authenticated</code> group to the <code>authenticated</code> role we setup previously.<br /></li>
<li>To keep non-authenticated users from seeing any of Jenkins, we unchecked all privileges for the <code>Anonymous</code> group.</li>
<li>Save</li>
</ul>
<h2 id="wrapping-up:fbd9d0e77cb5c8a95f7dee502da3a88c">Wrapping up</h2>
<p>That&rsquo;s it! Try it out.</p>
<ul>
<li>Open an incognito window and navigate to your jenkins URL.<br /></li>
<li>You should be presented with an Auth0 login like this:
<img src="https://3dsim.github.io/images/posts/Securing-Jenkins-with-Auth0/auth0-login.png" alt="Auth0 login" /></li>
<li>Once you login, your email address should show up in the top right corner of your Jenkins dashboard.</li>
</ul>
<p>Congratulations. You now can use Auth0 to access Jenkins. Bonus points: setup SSO with your corporate LDAP, AD, Salesforce, or other identity provider.</p>
<p>Leave a comment below if you have questions or have any suggestions for improving this tutorial.</p>
</description>
</item>
<item>
<title>DockerCon 2016 Highlights Day 2</title>
<link>https://3dsim.github.io/dockercon-2016-highlights-day-2/</link>
<pubDate>Wed, 22 Jun 2016 10:03:36 -0600</pubDate>
<guid>https://3dsim.github.io/dockercon-2016-highlights-day-2/</guid>
<description>
<p>Continuing from <a href="https://3dsim.github.io/dockercon-2016-highlights-day-1/">my post from yesterday</a>&hellip; Here are the Day 2 Notes and Highlights.</p>
<h1 id="day-2:31845a37adb5af58320bff08e993d486">Day 2</h1>
<h2 id="keynote:31845a37adb5af58320bff08e993d486">Keynote</h2>
<p>Keynote summary&hellip;. monetizing docker. (This is a good thing because that means new features funded will continue flowing down to the open source offerings.)</p>
<ul>
<li>Docker Data Center</li>
<li>Docker Trusted Registry</li>
<li>Docker Universal Control Plane</li>
<li>HP Datacenter Enterprise</li>
</ul>
<p>Demo</p>
<ul>
<li>Showed SQL Server running in a docker container on linux. Interesting.</li>
<li>Debugging a .net app running in a container from VS Code</li>
</ul>
<p>ADP CTO short talk&hellip; he&rsquo;s very nervous. Highlight was when he compared microservices to chicken nuggets and monoliths to chickens. You had to be there.</p>
<h2 id="docker-for-ops-operationalize-your-docker-built-apps-in-production:31845a37adb5af58320bff08e993d486">Docker for Ops: Operationalize your Docker Built Apps in Production</h2>
<p>Emphasis on Containers as a Service (CaaS) with a focus on agility, portability, and control.</p>
<p>Considerations for a production docker app</p>
<ul>
<li>Scale</li>
<li>Security</li>
<li>Monitoring</li>
<li>Ecosystem</li>
</ul>
<p>Docker Data Center handles security in a few different ways</p>
<ul>
<li>Provides fine grained access control</li>
<li>Integrated content trust. Pushed images are signed by individuals.</li>
</ul>
<p>Demo from Evan Hazlett. (Evan originally wrote Shipyard, which was a Docker Container UI, deployment tool, etc. Shipyard probably became Docker UCP if I had to guess.)</p>
<p>UCP</p>
<ul>
<li>Can create teams, labels, and permissions for each</li>
<li>Supports the new &ldquo;services&rdquo; feature in Docker 1.12</li>
<li>Declare state of the services and the cluster takes care of matching the state</li>
<li>Integrates with built in load balancing in Docker 1.12</li>
<li>Handles rolling deploys</li>
<li>Monitoring uses stats Docker API to aggregate data</li>
</ul>
<p>Summary</p>
<p>Basically they have created a full ecosystem management tool with a UI. Looks nice, but it is rather expensive&hellip; to the tune of $150/node/month. Wayyyyy too expensive when you consider it doesn&rsquo;t include the compute resources.</p>
<h2 id="friendly-microservices:31845a37adb5af58320bff08e993d486">Friendly Microservices</h2>
<ul>
<li>Autogenerate documentation</li>
<li>Embed monitoring</li>
<li>Service should not go down</li>
<li>Make your service easy to deploy and scale</li>
<li>Consumers should be able to hit the API directly in a non-prod environment</li>
<li>Do not require a development environment to troubleshoot &ndash; i.e. use containers</li>
<li>One base url for everything
<ul>
<li>Use an api gateway, such as Zuul</li>
</ul></li>
<li>Don&rsquo;t use wildcards and set correct domain in cookies</li>
<li>Always use HTTPS</li>
<li>Separate certs for api vs domain, so if one is compromised, the other still works.</li>
</ul>
<h2 id="security-tips-from-twistlock:31845a37adb5af58320bff08e993d486">Security tips from Twistlock</h2>
<ul>
<li>Compliance policies, adjust per application</li>
<li>Monitor early in production</li>
<li>Use active threat control (identify unusual behavior)</li>
</ul>
<h2 id="securing-the-container-pipeline:31845a37adb5af58320bff08e993d486">Securing the Container Pipeline</h2>
<p><img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-2/security1.jpg" alt="Securing all the steps" /></p>
<p>Threats</p>
<ul>
<li>Run-time
<ul>
<li>Container exploits</li>
<li>Breaking out of container</li>
<li>Cross container attacks</li>
<li>DDoS</li>
</ul></li>
<li>At rest or during transport
<ul>
<li>Tampering of images</li>
<li>Unpatched OS or applications</li>
</ul></li>
</ul>
<p>Mitigations</p>
<ul>
<li>Platform security</li>
<li>Monitoring and Response</li>
<li>Access Controls</li>
<li>Content Security</li>
</ul>
<p>Access Control</p>
<ul>
<li>LDAP over SSL for Docker image transaction or use mutual TLS authentication for registry replication</li>
</ul>
<p>Container Integrity</p>
<ul>
<li>Use signed images</li>
</ul>
<p>Host hardening:</p>
<ul>
<li>Frequent patching</li>
<li>Install only needed components and libraries</li>
<li>Grsecurity/PaX for the kernel</li>
<li>File system integrity monitoring</li>
<li>Leverage Linux isolation capabilities</li>
</ul>
<p>Container Hardening:</p>
<ul>
<li>Base image and app with latest updates/patches</li>
<li>Leverage User namespaces (run as low privilege user on host)</li>
<li>Install only needed components and libraries (i.e. no gcc, bash, or ssh)</li>
<li>Avoid using Docker with &ndash;privileged flag</li>
<li>Use &ndash;read-only when running containers</li>
<li>Avoid providing access to the docker user and group</li>
<li>Limit and/or separate host and kernel device access</li>
</ul>
<p>Vulnerability management:</p>
<ul>
<li>Image scans with tools, such as docker security scanning.<br /></li>
<li>Operating system</li>
<li>Application source code and libraries</li>
<li>Network Scans with traditional vulnerability scanners.
<ul>
<li>Discovery</li>
<li>Exposed services</li>
</ul></li>
<li>Auto and manual source code edits.<br /></li>
<li>Remediation - have prioritization and SLAs for patching</li>
</ul>
<p>Network Infrastructure</p>
<ul>
<li>Use an Intrusion Detection System (IDS)</li>
</ul>
<p>Monitoring hosts:</p>
<ul>
<li>All host logs are saved</li>
<li>Use machine learning to analyze logs</li>
</ul>
<p>Monitoring containers and Apps</p>
<ul>
<li>Monitor all logs, similar to host</li>
<li>Network activity monitoring</li>
<li>Disk activity monitoring</li>
<li>Memory monitoring - docker and container process activity</li>
</ul>
<p>Digital Forensics</p>
<ul>
<li>Have incident response plan/policies in place</li>
<li>Memory, disk, network forensics</li>
<li>Build a super timeline of events using various tools like:
<ul>
<li>Sleuth Kit</li>
<li>Plaso</li>
<li>dd: Raw disk image</li>
</ul></li>
</ul>
<p>Memory forensics</p>
<ul>
<li>Useful because everything runs in memory</li>
<li>Faster discovery vs disk forensics</li>
</ul>
<p><img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-2/security-summary.jpg" alt="Security Summary" /></p>
<p>Conclusion</p>
<p>Lots of good information to incorporate. Definitely could dedicate a full time position to this.</p>
<h2 id="docker-networking-deep-dive:31845a37adb5af58320bff08e993d486">Docker networking deep dive</h2>
<ul>
<li>libnetwork - not just a driver interface
<ul>
<li>handles all docker container networking</li>
<li>ip address management</li>
<li>multi-host networking</li>
<li>service discovery</li>
<li>load balancing</li>
<li>allows for extensions/plugins</li>
</ul></li>
</ul>
<p>New features in 1.12
<img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-2/networking.jpg" alt="New networking features" /></p>
<ul>
<li>Cluster aware</li>
<li>De-centralized control plane</li>
<li>Highly scalable</li>
<li>Routing mesh</li>
<li>Load balancing</li>
<li>Service discovery</li>
</ul>
<p>Conclusion</p>
<p>Docker 1.12 is going to make a lot of engine-to-engine communication seamless. I left early on this talk though because the deep dive was deeper than I needed.</p>
<h2 id="project-tesson-demo:31845a37adb5af58320bff08e993d486">Project Tesson Demo</h2>
<p><img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-2/tesson.jpg" alt="@kobolog" /></p>
<p><a href="https://twitter.com/kobolog">@kobolog</a> shared his open source project called &ldquo;Tesson&rdquo; that maximizes resource usage by analyzing a machine&rsquo;s hardware topology and handles spawning/pinning instances of a Go app to utilize all the hardware capability. <a href="https://github.com/kobolog/tesson">https://github.com/kobolog/tesson</a></p>
<p>Caught the tail end of this talk&hellip; very impressive. Will have to try it out on some of our CPU intensive Go apps.</p>
<h2 id="summary:31845a37adb5af58320bff08e993d486">Summary</h2>
<p>DockerCon was great. Day 1 was the cool announcements. Day 2 was the sales pitch&hellip; at least for the keynote. Both days were informative. The conference was well organized. Food was good. Good set of speakers. Great location. And the weather was epic.</p>
<p>Overall, can&rsquo;t complain&hellip;. I got out mountain biking both days. Highly recommend Duthie Hill and Tiger Mountain. And if you need a bike rental check out <a href="http://compassoutdooradventures.com">http://compassoutdooradventures.com</a>. They deliver/pickup at both destinations.</p>
<p><img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-2/mountain-biking.jpg" alt="Mountain Biking at Tiger Mountain" /></p>
</description>
</item>
<item>
<title>DockerCon 2016 Highlights Day 1</title>
<link>https://3dsim.github.io/dockercon-2016-highlights-day-1/</link>
<pubDate>Tue, 21 Jun 2016 10:03:36 -0600</pubDate>
<guid>https://3dsim.github.io/dockercon-2016-highlights-day-1/</guid>
<description>
<p>At 3DSIM we believe in continuing education and investing in our developers. We put that into practice in many ways and one of those ways is to encourage developers to attend a conference. This year I&rsquo;m attending DockerCon in Seattle. Here are some running higlights&hellip;</p>
<h1 id="day-1:32d0795527c2abb0494e25ae7746bd71">Day 1</h1>
<h2 id="keynote-highlights:32d0795527c2abb0494e25ae7746bd71">Keynote highlights</h2>
<p><img src="https://3dsim.github.io/images/posts/DockerCon-2016-Highlights-Day-1/dockercon-day1-keynote.jpg" alt="Success" /></p>
<ul>
<li>Docker for Mac allows you to debug code running in a container and live reload it. (Need to figure out details)</li>
<li>Docker for Mac Beta is now open to anyone at <a href="https://www.docker.com/products/docker#/mac">https://www.docker.com/products/docker#/mac</a></li>
<li>Docker 1.12 will have orchestration features built-in. <a href="https://blog.docker.com/2016/06/docker-1-12-built-in-orchestration/">https://blog.docker.com/2016/06/docker-1-12-built-in-orchestration/</a><br />
<ul>
<li>Swarm mode. Self forming, self-healing. No external data store required (e.g. Consul or etcd)</li>
<li>Secure node to node communication.</li>
<li>There is now a docker service API that handles scaling, rolling updates, scheduling, application specific health checks, rescheduling on node failure. This look amazing&hellip;</li>
<li>Built in routing. Load balancing, DNS based service discovery, no separate cluster to setup.<br /></li>
</ul></li>
</ul>
<p>Example commands with new built-in orchestration:</p>
<pre><code>docker service create --name vote -p 8080:80 instavote/vote
docker service ls
docker service tasks vote
docker service scale vote=6
docker service update vote --image instavote/vote:movies
docker service update vote --image instavote/vote:indent --update-parallelism 2 --update-delay 10s
</code></pre>
<ul>
<li>Docker for AWS and Docker for Azure. (Interesting.)<br />
<ul>
<li>&ldquo;Seamless&rdquo; (Not sure we will give up Ansible for deploying&hellip;)</li>
<li>Will have to find more links to details&hellip; sounds like specialized cloudformation templates.</li>
</ul></li>
<li>(Experimental) Distributed Application Bundle (DAB)&hellip; a format for multi-container applications.<br /></li>
</ul>
<h2 id="talk-highlights-the-golden-ticket-docker-and-high-security-microservices:32d0795527c2abb0494e25ae7746bd71">Talk Highlights: &ldquo;The Golden Ticket: Docker and High Security Microservices&rdquo;</h2>
<p><a href="http://dockercon2016.sched.org/event/70Ni">http://dockercon2016.sched.org/event/70Ni</a></p>
<ul>
<li>Use TLS</li>
<li>Least trust/Least access</li>
<li>Security starts with the base OS - does the base OS manage security in a &ldquo;good&rdquo; way? Start with a &ldquo;minimal&rdquo; base</li>
<li>Minimal kernel</li>
<li>Should also have minimal containers. Larger containers = more patching, disk space, attack surface and post exploitation utilities.<br /></li>
<li>He&rsquo;s a fan of Go&hellip; only put a single binary in the Docker container. (Shot out to Richard Bolt who gave a talk on this at our last SLC Docker meetup.)</li>
<li>Use Mandatory Access Control (MAC) - which is enabled by default in Docker.
<ul>
<li>Use aa-genprof to generate an apparmor profile, or use Bane</li>
<li>Profile generators are not perfect, keep an eye after switching to &ldquo;mandatory&rdquo; mode<br /></li>
<li>Default seccomp filter permits 304 calls.</li>
<li>Can use sysdig to figure out what calls are open on the system (requires kernel module)</li>
<li>Pitfalls of seccomp:</li>
<li>Fragile</li>
<li>Libseccomp - go library</li>
</ul></li>
</ul>
<p>High security docker microservices</p>
<ul>
<li>Enable user namespace</li>
<li>Use specific apparmor if possible</li>
<li>Seccomp whitelist</li>
<li>harden host system</li>
</ul>
<p>Handling secrets</p>
<ul>
<li>Avoid environment variables and flat files</li>
<li>Use something like Vault <a href="https://github.com/hashicorp/vault">https://github.com/hashicorp/vault</a></li>
</ul>
<p>Networking</p>
<ul>
<li>Use TLS. All network traffic should be encrypted and authenticated.</li>
</ul>
<p>Security in general</p>
<ul>
<li>Develop threat models for each application</li>
<li>Log everything and all access. Keep logs centrally.</li>
</ul>
<h2 id="docker-for-developers-1-and-2:32d0795527c2abb0494e25ae7746bd71">Docker for Developers 1 and 2</h2>
<p>Various demos of how native Docker for Mac/Windows and Docker Cloud make development easier. Both show promise.</p>
<p>Docker Cloud demos involved too much clicking and UI work&hellip; will have to investigate what APIs are available.</p>
<p>Installed Docker for Mac yesterday and so far so good.</p>
<h2 id="immutable-infrastructure:32d0795527c2abb0494e25ae7746bd71">Immutable Infrastructure</h2>
<ul>
<li>Limit number of dependencies and libraries in projects</li>
<li>Shorten lead time</li>
<li>High performing organizations:
<ul>
<li>Deploy more often</li>
<li>Lead time is short</li>
<li>High change success rate</li>
<li>Low MTTR</li>
</ul></li>
</ul>
<p>Overall, entertaining talk without a lot of &ldquo;new&rdquo; content.</p>
<h2 id="summary:32d0795527c2abb0494e25ae7746bd71">Summary</h2>
<p>Good first day. Highlight for me is Docker 1.12 orchestration features&hellip; will be using those in our pipelines as soon as they become available.</p>
<p>See my day 2 notes here: <a href="https://3dsim.github.io/dockercon-2016-highlights-day-2/">DockerCon 2016 Highlights Day 2</a></p>
</description>
</item>
<item>
<title>Using Hugo and Wercker to Create and Automate Your Own Site</title>
<link>https://3dsim.github.io/using-hugo-and-wercker-to-create-and-automate-your-own-site/</link>
<pubDate>Sat, 28 May 2016 15:51:23 -0600</pubDate>
<guid>https://3dsim.github.io/using-hugo-and-wercker-to-create-and-automate-your-own-site/</guid>
<description>
<p>As engineers making our own blog, we all naturally want to make it AAAAAAWESOOOME. We want a cool language. We want to use git everywhere. We want PRs! We want it to be fast. We want automation, lots and lots of automation. We also want it simple. Like &ldquo;1 or 2 hours&rdquo; simple.</p>
<p>This blog you&rsquo;re reading has all of that.</p>
<p>It&hellip;. Is&hellip;.. Awesome.</p>
<p>But we can&rsquo;t really take credit. Thanks to <a href="https://gohugo.io">Hugo</a>, <a href="https://github.com">Github</a>, and <a href="http://wercker.com">Wercker</a> you too can have an have an AAAAAAWESOOOME site or blog.</p>
<p>What this combination gives you:</p>
<ul>
<li><strong>Cool language?</strong> Hugo is based on <a href="https://golang.org/">Go</a>. Check. (My love of Go will be professed in a future post.)</li>
<li><strong>Git integration?</strong> This site is deployed to <a href="https://pages.github.com">github pages</a>. This site is regenerated and deployed every time we push to the main repo.</li>
<li><strong>PRs?</strong> We only push to the main repo through PRs from our individual forks. For those new to git flow, check out this article: <a href="http://scottchacon.com/2011/08/31/github-flow.html">http://scottchacon.com/2011/08/31/github-flow.html</a></li>
<li><strong>Fast?</strong> Yep, super fast. Hugo is a static site generator, meaning it creates plain old HTML. Browsers are very good at serving HTML quickly. Also, Hugo generates the static content very quickly&hellip; about 1 ms per piece of content. For this site, it seems instantaneous.</li>
<li><strong>Automation?</strong> That&rsquo;s where Wercker comes in. You can have build and deploy steps for your github repo that get triggered automatically. Credit goes to <a href="https://github.com/ArjenSchwarz/wercker-step-hugo-build">https://github.com/ArjenSchwarz/wercker-step-hugo-build</a> for creating a Hugo build step, and to <a href="https://github.com/lvivier/step-gh-pages">https://github.com/lvivier/step-gh-pages</a> for the step for deploying to Github Pages.<br /></li>
<li><strong>Simple?</strong> Honestly, start to finish it took me a full day to get everything working&hellip; but that includes research time. If you&rsquo;re reading this, then you should be able to do it in a couple hours. I&rsquo;ve done some of the research for you. (i.e. I found the only link you will need below.)</li>
<li><strong>Pretty?</strong> That wasn&rsquo;t in my original list above&hellip; pffft, engineers don&rsquo;t need &ldquo;pretty.&rdquo; Well, I like pretty. Sue me. Visit <a href="https://themes.gohugo.io">https://themes.gohugo.io</a> to get a taste of what you could do by simply cloning the theme into your &ldquo;themes&rdquo; directory.<br /></li>
</ul>
<p>You&rsquo;re probably saying&hellip; &ldquo;Sounds awesome. How do I do it?&rdquo;</p>
<p>Simple. The guide to awesome is here: <a href="http://gohugo.io/tutorials/automated-deployments">http://gohugo.io/tutorials/automated-deployments</a>. Follow the steps in that tutorial. If you want to see what I did while following those steps, read on&hellip;</p>
<h2 id="an-example-our-corporate-site:1ea8ed4e6ee92abf713dabb5b8f697e5">An example, our corporate site</h2>
<p>Following my own advice, I am now embarking on converting <a href="http://3dsim.com">our corporate site</a> to Hugo and Wercker. I&rsquo;m going to capture the steps I take for posterity&hellip; and to show that setting up an awesome site from scratch is relatively straight forward.</p>
<h3 id="hugo-site-setup:1ea8ed4e6ee92abf713dabb5b8f697e5">Hugo site setup</h3>
<ul>
<li>Create github repo. e.g. <a href="https://github.com/3DSIM/corporate-site">https://github.com/3DSIM/corporate-site</a><br /></li>
<li>Fork the repo.</li>
<li>Clone the fork. <code>git clone [email protected]:ryanwalls/corporate-site.git</code></li>
<li>Generate a new site directory structure. <code>hugo new site corporate-site --force</code> (The force option is necessary because our directory is not empty.)<br /></li>
<li>Go into the cloned directory. <code>cd corporate-site</code></li>
<li>Create a git branch to work in. <code>git checkout -b new-site</code></li>
<li>Install a theme
<ul>
<li><code>mkdir themes &amp;&amp; cd themes</code></li>
<li>Clone a theme. E.g. <code>git clone [email protected]:digitalcraftsman/hugo-agency-theme.git</code></li>
<li>In this case they had a sample <code>config.toml</code>, so copy it to root of your project <code>cp themes/hugo-agency-theme/exampleSite/config.toml .</code></li>
<li>Remove the <code>.git</code> folder from the cloned theme: <code>rm -rf themes/hugo-agency-theme/.git</code></li>
</ul></li>
<li>Test that site starts <code>hugo server --buildDrafts --theme=hugo-agency-theme</code></li>
<li>You&rsquo;ll want to customize your <code>config.toml</code> to fit your site. (if you&rsquo;re new to toml read <a href="https://npf.io/2014/08/intro-to-toml">https://npf.io/2014/08/intro-to-toml</a>). See the <a href="https://github.com/3DSIM/corporate-site">source for the corporate site</a> to see what we did with ours.</li>
<li>Eventually you&rsquo;ll want to put content inside the <code>content</code> directory, but for now just put an empty file, README, or some other placeholder in there so that the directory gets committed later. e.g. <code>touch content/.keep</code>. This is to accommodate one of the wercker build scripts we will use later that requires the <code>content</code> folder exists.<br /></li>
</ul>
<h3 id="configure-wercker:1ea8ed4e6ee92abf713dabb5b8f697e5">Configure Wercker</h3>
<ul>
<li>Create a <code>wercker.yml</code> file in the root of the site directory</li>
</ul>
<pre><code class="language-yaml">---
box: debian
build:
steps:
- arjen/[email protected]:
version: &quot;0.15&quot;
theme: hugo-agency-theme
flags: --buildDrafts=true
deploy:
steps:
- install-packages:
packages: git ssh-client
- lukevivier/[email protected]:
token: $GIT_TOKEN
basedir: public
</code></pre>
<ul>
<li>Create application inside Wercker
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/wercker-create-application_small.png" alt="Create application" /></li>
</ul>
<p>NOTE: This is where the tutorial linked above that is on the Hugo documentation site is out of date. Wercker just recently announced pipelines and workflows.</p>
<ul>
<li><p>Click on &ldquo;Manage Workflows&rdquo; while in your application
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/manage-workflows_small.png" alt="Manage workflows" /></p></li>
<li><p>Click on &ldquo;Add pipeline&rdquo;
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/add-pipeline_small.png" alt="Add pipeline" /></p></li>
<li><p>Configure the pipeline. This references your deploy step in your <code>wercker.yml</code>.
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/pipeline-config_small.png" alt="Configure pipeline" /></p></li>
<li><p>After you configure the pipeline, the next page allows you to configure environment variables for the pipeline. Before filling this in, go to the next step&hellip; but keep this page open.</p></li>
<li><p>Wercker needs to be able to access Github on your behalf to deploy to Github Pages. To give wercker access, we will create a Personal Access Token. If you&rsquo;re new to Personal Access Tokens, here&rsquo;s Github&rsquo;s intro: <a href="https://help.github.com/articles/creating-an-access-token-for-command-line-use">https://help.github.com/articles/creating-an-access-token-for-command-line-use</a>. Follow the steps in that article to generate a token. Here&rsquo;s the box I checked for this personal access token:
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/personal-access-token_small.png" alt="Personal Access Token" /></p></li>
<li><p>We can now configure the <code>GIT_TOKEN</code> environment variable that was defined in the <code>wercker.yml</code> above. Copy the personal access token from last step and enter it on the Wercker &ldquo;Environment variables&rdquo; configuration page. Name it <code>GIT_TOKEN</code> and set it as protected. Click &ldquo;Add.&rdquo;
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/git-token_small.png" alt="Configure GIT_TOKEN" />.</p></li>
<li><p>We now need to configure our workflow to use the &ldquo;deploy&rdquo; step we just defined. Click on the &ldquo;&lt; Workflows&rdquo; link.
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/workflows_small.png" alt="Workflows link" />.</p></li>
</ul>
<p>Then click the &ldquo;+&rdquo; button after your &ldquo;build&rdquo; step
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/clickworkflowplus_small.png" alt="Add workflow step" />.</p>
<p>And configure the deploy step to deploy your &ldquo;master&rdquo; branch. Click &ldquo;Add.&rdquo;
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/workflow-step_small.png" alt="Configure workflow step" />.</p>
<h3 id="push-the-first-version-of-the-site:1ea8ed4e6ee92abf713dabb5b8f697e5">Push the first version of the site</h3>
<p>You are now ready to create a PR with your changes. When the PR is merged, Wercker should trigger a build and deploy automatically.</p>
<ul>
<li><code>git add .</code></li>
<li><code>git commit -m &quot;Add theme to site&quot;</code></li>
<li><code>git push</code></li>
<li>Navigate to your fork on Github and create a PR. See <a href="https://help.github.com/articles/using-pull-requests">https://help.github.com/articles/using-pull-requests</a>. NOTE: The wercker pipeline will trigger when you create a PR, which is great because you know before you merge if you broke the build. But in this first PR, the build will always fail because we haven&rsquo;t added a <code>wercker.yml</code>.
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/pr_small.png" alt="PR" />.<br /></li>
<li>Merge in your changes (after reviewing with someone else of course).<br /></li>
<li>Go to Wercker and see if your build is working. If you see this at the end, you succeeded!
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/success_small.png" alt="Success" />.<br /></li>
</ul>
<h3 id="success:1ea8ed4e6ee92abf713dabb5b8f697e5">Success</h3>
<ul>
<li>Navigate to your new site at <code>http://&lt;your github username or organization&gt;.github.io/&lt;your site's repo name&gt;</code>, e.g. <a href="http://3dsim.github.io/corporate-site">http://3dsim.github.io/corporate-site</a></li>
</ul>
<p>It should like similar to this&hellip; (This screenshot was taken with only a couple changes to the <code>config.toml</code>.)
<img src="https://3dsim.github.io/images/posts/Using-Hugo-and-Wercker-to-Create-and-Automate-Your-Own-Site/final_small.png" alt="Final view" />.</p>
<p>If you made it this far, you now have a fully automated site or blog using Hugo and Wercker. Go pat yourself on the back and get some coffee.</p>
</description>
</item>
<item>
<title>Hello World</title>
<link>https://3dsim.github.io/hello-world/</link>
<pubDate>Tue, 24 May 2016 07:10:35 -0600</pubDate>
<guid>https://3dsim.github.io/hello-world/</guid>
<description><p>Welcome! We are the software engineering team at 3DSIM. This is our blog.</p>
<p>In these pages we plan to document and share how we practice the craft of software
development. Subscribe and enjoy!</p>
</description>
</item>
</channel>
</rss>