Securing your applications by building an standardized OS image.

Ahoy there!

I have been working in IT for around 10 years and never feel more satisfied of a project than working in the Apptio Base AMI.

This project had me to get a release process that will output an secured O.S. image for AWS, seemed simple but then started to get complicated...

I gave this talk on Hashitalks 2020: https://www.hashicorp.com/resources/using-an-image-release-process-for-security-wins, which lead me to write all of this into a blog post.
I was supposed to give the same talk in Devops Days Seattle, but it got canceled because of the virus.

Why should we even think on a custom O.S. image?

Well there are several reasons to get this process in place, I.E.
  • Faster application deployment by pre-doing a lot of the deployment process ahead of time.
  • Secured images by patching it, removing unwanted programs, ACL's, Kernel updates.
  • Make your application to be more consistent by being in control of the OS environment they will run on.
  • Threat your images as code!
But, why is people not building their own images?
I have found several situations that cause this, I.E: The company wants to have this process but they have too much of the tech debt ahead, people is manually building their own images, some teams might not know better, lack of motivation to do it or teams are afraid of the amount of maintenance a process like this might need.

Some people might think, "I get the importance of creating a O.S. image, but why should I go nuts about creating a big release process?".  This is a valid question, but keep in mind a release process might let you forget of the process itself and give you and also the confidence to deliver great images for their "customers".

Building images using Packer!

Hashicorp Packer allow you to build this images out of code and in a automated way.
While this sounds great, this is just part of the process. This will allow you to deliver a product in a form of a O.S. image in a software release process in an automated fashion.

For this example (https://gitlab.com/arsport/packer-release-example), I will use Gitlab + AWS (EC2 AMI's) and Packer to show my idea of a O.S. release process.

Process Requirements:

  1. It had to be self serve.
    That means that if someone wanted a new custom image, they could go themselves, write a few lines of code and that was it. They will have a new image delivered automatically.
  2. There had to be a easy way to find the images for the users.
    I figured out that I could write a fancy tool to retrieve the latest image to use from AWS, but then figured out that the AWS cli was pretty good at that. I also wrote an integration to send messages to slack once the image was ready and what id had.
  3. CI/CD for automation.
    Gitlab is great, I love the way you integrate your repositories with the CI/CD is awesome plus the pipeline view is just what I can call close to a perfect tool. Gitlab allowed me to build this images in an scheduled way with all the information needed after the build.
  4. It had to be built using templates. In order to make the code more efficient, we had to inject the variables for each image to create into the CI.
  5. There had to be a way to differentiate the Prod and the Test images.
    We wanted to deploy images into our Prod and Test environments, so a good way to do this is to tag (AWS) you images to show like that. This can be done in the CI.
  6. We had to test the images built automatically.
    CI means you have to test your delivery before pushing your images so you don't break everyone else build. We wanted to validate the applications installed, the permissions to the keys, so Inspec from Chef helped in there.
  7. It had to be secure!
    Meaning, no extra ssh keys around there, no apps that were not needed installed, it was patched to the latest packages, ACL's, user permissions, etc.

How did it look at the end:

We built a process that looked like this:
  • We build the base images of the O.S. into our test environments- That is the bare O.S. image to use, but better. With the requirements we said before.
  • We build the custom images of the O.S. into our test environments- That is the customized images that the customer needs, like for example: Updated JDK, certain packages required for the application, a compiler for Golang, etc. The stuff that only you as customer want in the final image to use. This will make your application start much faster.
  • Then we do the same steps but for production.
After this, the customers were able to test their applications in a image that looks exactly like the production one.

If something failed during the build, we stop the build of the other images to figure out the problem.



Good practices around this process:

  • Build your images with cumulative updates. Instead building from scratch, I.E. Grabbing the image from the market to build, build from the last image that you built. This will make the process faster getting the same result from both approach.
  • Take a look at all the tools you can use. Maybe trigger a Puppet run, maybe run some ansible playbooks to configure your instance.
  • Don't use your personal credentials to build. Is not clean but also, is insecure. Create a set of credentials with the permissions needed only. 
  • Clean after you are done. Packer is great, but sometimes it might leave instances up or resources that are not needed after the build. Make sure to clean those.
    Also consider only leaving a few of the latest images, there is no point on spending money and space on images that are not updated.

To finish this post.

I think security is becoming a big part of our work and it becomes more important to companies as part of the trust they need to build in their customers. Therefore this is a great way to be sure that the O.S. images that you are using have the latest patches and the less permissions.

I hope you enjoyed this read and please contact me if you want to talk more on this process.

Here is the talk I gave related to this during the Hashitalks 2020.
https://www.hashicorp.com/resources/using-an-image-release-process-for-security-wins/

I was doing the same talks on DevopsDays Seattle 2020 but it was canceled :(.


Comments

  1. MGM Grand Hotel & Casino - Mapyro
    MGM Grand Hotel & Casino, Las Vegas, 군포 출장샵 NV, 제주 출장샵 89109. Directions · 서산 출장안마 (702) 770-3000. Website: www.mgmgrand.com. Phone: (702) 770-2000. Fax: 경상남도 출장안마 702.770.3377. 경산 출장마사지 Website: www.mgmgrand.com.

    ReplyDelete
  2. Ecommerce Solution You can handle your single and multi-vendor eCommerce shops web site and cellular utility with our answer. NOVOMATIC AG is licensed and regulated in Great Britain by the Gambling Commission beneath account quantity 45352. NOVOMATIC is a one-stop answer provider masking the whole spectrum of gaming. This permits the corporate to realize most customer 파라오 카지노 orientation in order to offer its prospects and enterprise companions a first-rate service. As a globally lively full-service provider, NOVOMATIC is lively in all segments of the gaming trade, offering a complete omni-channel portfolio of products. These are games to which Casino firms can add worth by way of optimization.

    ReplyDelete
  3. You could also be} an e-commerce enterprise working in Western markets, or run a retail retailer, a video games arcade, a leisure and entertainment facility, a hotel, bar, cinema, casino or one other sort 1xbet of enterprise. Whatever your industry, it is essential to be able to|to have the flexibility to} entry the rouletste machine merchandise your prospects demand; and without problem. The minimum withdrawal, the time wanted to process withdrawals, and whether or not or not there is a payment will all rely upon the chosen method.

    ReplyDelete
  4. Moreover, to ensure you|to make sure you} by no means end up in a tricky spot without a a|with no} clue what to do, there will be a assist tab inside every game you play. Depending on your preferences, the frequent forms of cellular blackjack inside our prime cellular casinos embody - Atlantic City, European, Vegas Strip, Classic, Multi-player, Single Deck, and Live Dealer. Naturally, when you have a tablet you then won't have to do that, but keep in mind that could have|you could have|you would possibly have} to hit the unlock button that you just can|so as to|to have the ability to} switch from portrait to landscape {in order to|so as to|to have the ability to} play. The different major distinction between enjoying in} real money roulette online and cellular roulette is that you just won't see each 카지노사이트 the wheel and the desk on the same time. Every tablet and smartphone casino app provides a click-and-play service.

    ReplyDelete
  5. While trendy machines no longer have tilt switches, any sort of technical fault (door switch in the incorrect state, reel motor failure, out of paper, etc.) is still referred to as 메리트카지노 a "tilt". A generally used technique to avoid playing legal guidelines in several of} states was to award food prizes. For this reason, several of} gumball and different vending machines have been regarded with mistrust by the courts.

    ReplyDelete
  6. To explicate the temporal sequence between drawback playing, playing formats, and playing involvement, longitudinal information is required. Without longitudinal information, we're unable to determine out} whether taking part in a playing format will increase the danger of experiencing a playing 카지노사이트 drawback or if those that have already got a playing drawback are interested in particular playing formats. In addition, longitudinal information is required to understand whether high involvement is a precursor to or simply a symptom of drawback playing. This information additionally doesn't distinguish playing formats based mostly on whether such participation was done at a brick and mortar venue or online. These totally different types of entry may mediate the relationship between playing format and drawback playing. In addition, despite utilizing two large datasets, some categorization groupings had been fairly small leading to estimates that comprise large confidence intervals.

    ReplyDelete
  7. Parts made in Protolabs’ 3D printing, sheet metal fabrication, and machining processes have minimal and most measurement restrictions. Since half envelopes are regularly expanding at Protolabs, please look at at|have a Cigarette Rolling Machines glance at} the design pointers listed for every course of on-line at protolabs.com. As we’ve seen, a dozen or so raw components provide for lots of of necessary, life-altering supplies.

    ReplyDelete

Post a Comment

Popular Posts