SlideShare une entreprise Scribd logo

Discovering OpenBSD on AWS

Télécharger en tant que PPTX, PDF
Laurent Bernaille
Laurent Bernaille

The story behind the OpenBSD AMI, and how it integrates with AWS, and a demo of dynamic VPN built using Consul (all running OpenBSD)

Technologie
1  sur  24
OpenBSD and AWS September 23rd 2017EuroBSDcon
@eurobsdcon Who am I? 2 Laurent Bernaille @d2si • Linux background, getting to know OpenBSD • Cloud enthusiast • Love discovering, building (and breaking…) new things @lbernail
@eurobsdcon What is this presentation/demo about? OpenBSD and AWS • The first OpenBSD image and the ongoing work • The integration in the AWS ecosystem OpenBSD and microservices • How we can leverage OpenBSD for cloud applications • Examples and demo OpenBSD and me • A recent but interesting journey
@eurobsdcon OpenBSD on AWS First image by @ajacoutot (December 2015, in 5.9) • Not straightforward due to Xen support (network, disk in particular) • Intro: http://blog.d2-si.fr/2016/02/15/openbsd-on-aws/ • Details: https://github.com/ajacoutot/aws-openbsd • More details: http://www.openbsd.org/papers/bsdcan2016-xen.pdf => The image worked, but without EBS (disk) support at first => Xen support was not perfect An AWS hypervisor update broke the AMI (late 2016) Fixed in 6.1, thanks to Mike Belopuhov and @esdenera Many improvements in 6.2 (performances)
@eurobsdcon Let's have a look
@eurobsdcon Where does my public key come from? AWS exposes a metadata web server at http://169.254.169.254
@eurobsdcon OK but how did it get into authorized_keys? Linux distributions rely on cloud-init • http://cloudinit.readthedocs.io/ • Origin in ubuntu cloud • Cloud-init does a lot of things and is very Linux specific Enters ec2-init by @ajacoutot • Minimal cloud-init implementation • https://github.com/ajacoutot/aws-openbsd When is it run? • By netstart (very early in the boot process)
@eurobsdcon A quick look at ec2-init mock_pf open if [[ $(mock meta-data/instance-id) != $(cat /var/db/ec2-init 2>/dev/null) ]]; then ec2_instanceid ec2_pubkey ec2_hostname ec2_userdata ec2_fingerprints sysclean fi mock_pf close open pf to allow access to metadata server check if already configured write instance id to db file to set instance as "configured" write public key in authorized_keys file set hostname from AWS metadata execute userdata (more on that later) write rc.firsttime script to display ssh fingerprints after boot clean up instance (remove old ssh keys, logs, dhcp data)
@eurobsdcon What about this ec2-user? Standard behavior on AWS • No connection as root • ec2-user is used for Amazon Linux, Redhat, Fedora, Centos, FreeBSD • Debian uses "admin" and ubuntu, "ubuntu" ec2-user has unlimited doas with "nopass" $ cat /etc/doas.conf permit nopass ec2-user
@eurobsdcon Let's use this instance Install terraform $ pkg_info -Q terraform terraform-0.9.2 $ doas pkg_add terraform Terraform? • Describe infrastructure components and build them • « puppet » for infrastructure • Alternatives: cloudformation / heat OK let's set up something with it $ doas pkg_add git $ git clone git@github.com:lbernail/eurobsdcon2017.git $ terraform init $ terraform plan $ terraform apply
@eurobsdcon Under the hood Bastion eu-west-1a Public subnets Private subnets eu-west-1b Public subnets Private subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" } resource "aws_subnet" "public" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" tags { Name = "Main" } } resource "aws_instance" "bastion" { ami = "${var.bastion_ami}" instance_type = "t2.micro” subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.bastion.id}" ] tags { Name = "bastion" } }
@eurobsdcon 12 Bastion Public subnets NAT GW Public subnets Public subnets What did we just build? Private subnets Private subnetsPrivate subnets
@eurobsdcon 13 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS Let’s create a consul cluster 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent
@eurobsdcon A quick intro to consul From Hashicorp (authors of vagrant, packer, terraform, vault) Used for microservices • Service discovery • Key-value store for configuration Resilient • Distributed system • Built on RAFT
@eurobsdcon Let's look at it $ ssh 10.0.128.100 $ consul members
@eurobsdcon OK but how did it all get configured? Userdata: script to bootstrap AWS instances (executed by ec2-init) $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh pkg_add consul cat > /etc/consul.d/config.json <<EOF { "bootstrap_expect": 3, "server": true, "node_name": "consul0", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF rcctl enable consul cat >> /etc/rc.firsttime <<EOF rcctl start consul EOF install consul this node is a server called consul0 it will wait for 2 other servers to bootstrap cluster rely on AWS API to discover members - instances have a "tag" - instances have a role granting them access to AWS APIs "enable" writes to /etc/rc.conf.local but rc parses rc.conf.local very early so consul won't start => we use rc.firsttime
@eurobsdcon What can we do with this? Dynamic VPN configuration with consul-template • A companion tool to Consul • Watches for key changes in Consul • Generates a file from a template • Optionally executes a command when the file changes Let's build a VPN gateway $ cd ../vpn $ terraform init $ terraform apply
@eurobsdcon 18 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS New architecture 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10
@eurobsdcon What is this VPN server? 1/2 $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh rcctl enable ipsec rcctl enable isakmpd rcctl set isakmpd flags -K install -m 0600 /dev/null /etc/ipsec.conf pkg_add consul cat > /etc/consul.d/config.json <<EOF { "server": false, "node_name": "vpn", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF enable ipsec install consul configure it as a client
@eurobsdcon What is this VPN server? 2/2 pkg_add consul-template cat > /etc/consul-template.d/default.conf << EOF consul { address = "127.0.0.1:8500" } template { source = "/etc/consul-template.d/ipsec.ctmpl" destination = "/etc/ipsec.conf" perms = 0600 command = "ipsecctl -f /etc/ipsec.conf || echo Invalid ipsec configuration" } EOF # Template cat > /etc/consul-template.d/ipsec.ctmpl << 'EOF' {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} srcid 34.252.210.92 psk "{{ .psk }}" {{ end -}} {{ end }} EOF install consul-template use local consul Template configuration - template file - target - command to execute on change template file to generate ipsec.conf
@eurobsdcon The template file {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} psk "{{ .psk }}" srcid 34.252.210.92 {{ end -}} {{ end }} get all keys under "vpn" iterate over them transform items in maps if we have values for all necessary keys generate ipsec configuration configuration keys local public IP (injected by terraform) vpn/ /us/ /cidrblock = 172.30.0.0/16 /endpoint = 32.32.32.32 /psk = demo ike esp from 10.0.0.0/16 to 172.30.0.0/16 peer 32.32.32.32 psk "demo" srcid 34.252.210.92
@eurobsdcon Let's look at this $ consul members $ rcctl check consul consul_template $ cat /etc/consul-template.d/ipsec.ctmpl $ doas cat /etc/ipsec.conf $ doas ipsecctl -s all
@eurobsdcon Building our VPN Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10 Ireland, 10.0.0.0/16 Virginia, 172.30.0.0/16 EIP: 34.252.210.92 Demo 172.30.x.y allow ICMP from 10.0.0.0/16
@eurobsdcon Conclusion and perspectives What could be improved in this example • Security of consul: SSL / ACL My (limited) usage of OpenBSD on AWS • VPN Gateways • DNS proxies • And now consul • Many potential other use-cases Look at / Fork the code of this demo on github https://github.com/lbernail/eurobsdcon2017 Questions ? @lbernail

Recommandé

Experience using the IO-500
Experience using the IO-500Experience using the IO-500
Experience using the IO-500George Markomanolis
 
Java8勉強会
Java8勉強会Java8勉強会
Java8勉強会賢太郎 前多
 
ενδοκρινείς αδένες (ι)
ενδοκρινείς αδένες (ι)ενδοκρινείς αδένες (ι)
ενδοκρινείς αδένες (ι)dkelefiotis
 
실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive
실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive
실시간 스트리밍 분석 Kinesis Data Analytics Deep DiveAmazon Web Services Korea
 
Low Level CPU Performance Profiling Examples
Low Level CPU Performance Profiling ExamplesLow Level CPU Performance Profiling Examples
Low Level CPU Performance Profiling ExamplesTanel Poder
 
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスS13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスMicrosoft Azure Japan
 
CPUから見たG1GC
CPUから見たG1GCCPUから見たG1GC
CPUから見たG1GCKenji Kazumura
 
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日IBM Analytics Japan
 

Recommandé

Experience using the IO-500
Experience using the IO-500Experience using the IO-500
Experience using the IO-500George Markomanolis
 
Java8勉強会
Java8勉強会Java8勉強会
Java8勉強会賢太郎 前多
 
ενδοκρινείς αδένες (ι)
ενδοκρινείς αδένες (ι)ενδοκρινείς αδένες (ι)
ενδοκρινείς αδένες (ι)dkelefiotis
 
실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive
실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive실시간 스트리밍 분석 Kinesis Data Analytics Deep Dive
실시간 스트리밍 분석 Kinesis Data Analytics Deep DiveAmazon Web Services Korea
 
Low Level CPU Performance Profiling Examples
Low Level CPU Performance Profiling ExamplesLow Level CPU Performance Profiling Examples
Low Level CPU Performance Profiling ExamplesTanel Poder
 
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスS13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティス
S13 Oracle Database を Microsoft Azure 上で運用する為に~基本事項とベストプラクティスMicrosoft Azure Japan
 
CPUから見たG1GC
CPUから見たG1GCCPUから見たG1GC
CPUから見たG1GCKenji Kazumura
 
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日
Db2 & Db2 Warehouse v11.5.4 最新情報アップデート2020年8月25日IBM Analytics Japan
 
Jdbc complete
Jdbc completeJdbc complete
Jdbc completeSandeep Rawat
 
Introducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStackIntroducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStackShapeBlue
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruRavikumar Nandigam
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationAmazon Web Services
 
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...Surekha Parekh
 
Amandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップAmandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップVirtualTech Japan Inc.
 
Replacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGateReplacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGateStewart Bryson
 
Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0solarisyougood
 
Tomcat and apache httpd training
Tomcat and apache httpd trainingTomcat and apache httpd training
Tomcat and apache httpd trainingFranck SIMON
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewBrett Meyer
 
Oracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plusOracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plusAkira Kusakabe
 
C11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio KumazawaC11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio KumazawaInsight Technology, Inc.
 
Veeam ONE v11a入門編の紹介
Veeam ONE v11a入門編の紹介Veeam ONE v11a入門編の紹介
Veeam ONE v11a入門編の紹介株式会社クライム
 
How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17Johan Janssen
 
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch LogsAWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch LogsAmazon Web Services Japan
 
Java presentation
Java presentation Java presentation
Java presentation Programming Talents
 
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]オラクルエンジニア通信
 
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)WhaTap Labs
 
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPOptimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPSecure-24
 
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Amazon Web Services
 
Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 

Contenu connexe

Tendances

Introducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStackIntroducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStackShapeBlue
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruRavikumar Nandigam
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationAmazon Web Services
 
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...Surekha Parekh
 
Amandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップAmandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップVirtualTech Japan Inc.
 
Replacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGateReplacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGateStewart Bryson
 
Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0solarisyougood
 
Tomcat and apache httpd training
Tomcat and apache httpd trainingTomcat and apache httpd training
Tomcat and apache httpd trainingFranck SIMON
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewBrett Meyer
 
Oracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plusOracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plusAkira Kusakabe
 
C11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio KumazawaC11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio KumazawaInsight Technology, Inc.
 
How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17Johan Janssen
 
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch LogsAWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch LogsAmazon Web Services Japan
 
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]オラクルエンジニア通信
 
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)WhaTap Labs
 
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPOptimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPSecure-24
 
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Amazon Web Services
 

Tendances (20)

Jdbc complete
Jdbc completeJdbc complete
Jdbc complete
 
Introducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStackIntroducing Amazon EKS Anywhere On Apache CloudStack
Introducing Amazon EKS Anywhere On Apache CloudStack
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
 
SRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and AuthorizationSRV403_Serverless Authentication and Authorization
SRV403_Serverless Authentication and Authorization
 
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
Efficient Monitoring & Tuning of Dynamic SQL in DB2 for z/OS by Namik Hrle ...
 
Amandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップAmandaで始めるかんたんバックアップ
Amandaで始めるかんたんバックアップ
 
Replacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGateReplacing Oracle CDC with Oracle GoldenGate
Replacing Oracle CDC with Oracle GoldenGate
 
Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0Presentation v mware virtual san 6.0
Presentation v mware virtual san 6.0
 
Tomcat and apache httpd training
Tomcat and apache httpd trainingTomcat and apache httpd training
Tomcat and apache httpd training
 
ORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate OverviewORM, JPA, & Hibernate Overview
ORM, JPA, & Hibernate Overview
 
Oracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plusOracle Data Guard basics and how to create manually 18c plus
Oracle Data Guard basics and how to create manually 18c plus
 
C11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio KumazawaC11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
C11,12 SQL Server 2012 Performance Tuning by Yukio Kumazawa
 
Veeam ONE v11a入門編の紹介
Veeam ONE v11a入門編の紹介Veeam ONE v11a入門編の紹介
Veeam ONE v11a入門編の紹介
 
How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17How and why to upgrade to java 16 or 17
How and why to upgrade to java 16 or 17
 
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch LogsAWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
AWS Black Belt Techシリーズ AWS CloudTrail & CloudWatch Logs
 
Java presentation
Java presentation Java presentation
Java presentation
 
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
【旧版】Oracle Exadata Cloud Service:サービス概要のご紹介 [2021年7月版]
 
DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)DB Monitoring 개념 및 활용 (박명규)
DB Monitoring 개념 및 활용 (박명규)
 
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISPOptimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
Optimize and Simplify Oracle 12C RAC using dNFS, ZFS and OISP
 
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
Under the Hood of Amazon Route 53 (ARC408-R1) - AWS re:Invent 2018
 

Similaire à Discovering OpenBSD on AWS

Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Cosimo Streppone
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionPaolo latella
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageVishal Uderani
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker, Inc.
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725miguel dominguez
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725MortazaJohari
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
 
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudOpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudNetcetera
 
ContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperDocker-Hanoi
 
AWS 기반 Docker, Kubernetes
AWS 기반 Docker, KubernetesAWS 기반 Docker, Kubernetes
AWS 기반 Docker, Kubernetes정빈 권
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdRichard Lister
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerJérôme Petazzoni
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Ufo Ship for AWS ECS
Ufo Ship for AWS ECSUfo Ship for AWS ECS
Ufo Ship for AWS ECSTung Nguyen
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefMatt Ray
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)HungWei Chiu
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceBen Hall
 

Similaire à Discovering OpenBSD on AWS (20)

Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013Puppet at Opera Sofware - PuppetCamp Oslo 2013
Puppet at Opera Sofware - PuppetCamp Oslo 2013
 
Amazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to productionAmazon Web Services and Docker: from developing to production
Amazon Web Services and Docker: from developing to production
 
Automating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngageAutomating aws infrastructure and code deployments using Ansible @WebEngage
Automating aws infrastructure and code deployments using Ansible @WebEngage
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
Docker Multi-arch All The Things
Docker Multi-arch All The ThingsDocker Multi-arch All The Things
Docker Multi-arch All The Things
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725Infrastructureascode slideshare-160331143725
Infrastructureascode slideshare-160331143725
 
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Infrastructure as code: running microservices on AWS using Docker, Terraform,...
Infrastructure as code: running microservices on AWS using Docker, Terraform,...
 
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloudOpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud
 
Sheep it
Sheep itSheep it
Sheep it
 
ContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS DeveloperContainerDayVietnam2016: Docker for JS Developer
ContainerDayVietnam2016: Docker for JS Developer
 
AWS 기반 Docker, Kubernetes
AWS 기반 Docker, KubernetesAWS 기반 Docker, Kubernetes
AWS 기반 Docker, Kubernetes
 
CoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love SystemdCoreOS, or How I Learned to Stop Worrying and Love Systemd
CoreOS, or How I Learned to Stop Worrying and Love Systemd
 
Shipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with DockerShipping Applications to Production in Containers with Docker
Shipping Applications to Production in Containers with Docker
 
How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Ufo Ship for AWS ECS
Ufo Ship for AWS ECSUfo Ship for AWS ECS
Ufo Ship for AWS ECS
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Bare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and ChefBare Metal to OpenStack with Razor and Chef
Bare Metal to OpenStack with Razor and Chef
 
Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)Build Your Own CaaS (Container as a Service)
Build Your Own CaaS (Container as a Service)
 
Scaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container ServiceScaling Docker Containers using Kubernetes and Azure Container Service
Scaling Docker Containers using Kubernetes and Azure Container Service
 

Plus de Laurent Bernaille

How the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceHow the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceLaurent Bernaille
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesLaurent Bernaille
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Laurent Bernaille
 
Making the most out of kubernetes audit logs
Making the most out of kubernetes audit logsMaking the most out of kubernetes audit logs
Making the most out of kubernetes audit logsLaurent Bernaille
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Laurent Bernaille
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...Laurent Bernaille
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!Laurent Bernaille
 
Optimizing kubernetes networking
Optimizing kubernetes networkingOptimizing kubernetes networking
Optimizing kubernetes networkingLaurent Bernaille
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayLaurent Bernaille
 
Deep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksDeep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksLaurent Bernaille
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksLaurent Bernaille
 
Operational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesOperational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesLaurent Bernaille
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksLaurent Bernaille
 
Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Laurent Bernaille
 
Early recognition of encryted applications
Early recognition of encryted applicationsEarly recognition of encryted applications
Early recognition of encryted applicationsLaurent Bernaille
 
Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Laurent Bernaille
 

Plus de Laurent Bernaille (17)

How the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My NamespaceHow the OOM Killer Deleted My Namespace
How the OOM Killer Deleted My Namespace
 
Kubernetes DNS Horror Stories
Kubernetes DNS Horror StoriesKubernetes DNS Horror Stories
Kubernetes DNS Horror Stories
 
Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)Evolution of kube-proxy (Brussels, Fosdem 2020)
Evolution of kube-proxy (Brussels, Fosdem 2020)
 
Making the most out of kubernetes audit logs
Making the most out of kubernetes audit logsMaking the most out of kubernetes audit logs
Making the most out of kubernetes audit logs
 
Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019Kubernetes the Very Hard Way. Velocity Berlin 2019
Kubernetes the Very Hard Way. Velocity Berlin 2019
 
Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019Kubernetes the Very Hard Way. Lisa Portland 2019
Kubernetes the Very Hard Way. Lisa Portland 2019
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you! ...
 
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
10 ways to shoot yourself in the foot with kubernetes, #9 will surprise you!
 
Optimizing kubernetes networking
Optimizing kubernetes networkingOptimizing kubernetes networking
Optimizing kubernetes networking
 
Kubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard wayKubernetes at Datadog the very hard way
Kubernetes at Datadog the very hard way
 
Deep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay NetworksDeep Dive in Docker Overlay Networks
Deep Dive in Docker Overlay Networks
 
Deeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay NetworksDeeper dive in Docker Overlay Networks
Deeper dive in Docker Overlay Networks
 
Operational challenges behind Serverless architectures
Operational challenges behind Serverless architecturesOperational challenges behind Serverless architectures
Operational challenges behind Serverless architectures
 
Deep dive in Docker Overlay Networks
Deep dive in Docker Overlay NetworksDeep dive in Docker Overlay Networks
Deep dive in Docker Overlay Networks
 
Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016Feedback on AWS re:invent 2016
Feedback on AWS re:invent 2016
 
Early recognition of encryted applications
Early recognition of encryted applicationsEarly recognition of encryted applications
Early recognition of encryted applications
 
Early application identification. CONEXT 2006
Early application identification. CONEXT 2006Early application identification. CONEXT 2006
Early application identification. CONEXT 2006
 

Dernier

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Dernier (20)

Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Discovering OpenBSD on AWS

  • 1. OpenBSD and AWS September 23rd 2017EuroBSDcon
  • 2. @eurobsdcon Who am I? 2 Laurent Bernaille @d2si • Linux background, getting to know OpenBSD • Cloud enthusiast • Love discovering, building (and breaking…) new things @lbernail
  • 3. @eurobsdcon What is this presentation/demo about? OpenBSD and AWS • The first OpenBSD image and the ongoing work • The integration in the AWS ecosystem OpenBSD and microservices • How we can leverage OpenBSD for cloud applications • Examples and demo OpenBSD and me • A recent but interesting journey
  • 4. @eurobsdcon OpenBSD on AWS First image by @ajacoutot (December 2015, in 5.9) • Not straightforward due to Xen support (network, disk in particular) • Intro: http://blog.d2-si.fr/2016/02/15/openbsd-on-aws/ • Details: https://github.com/ajacoutot/aws-openbsd • More details: http://www.openbsd.org/papers/bsdcan2016-xen.pdf => The image worked, but without EBS (disk) support at first => Xen support was not perfect An AWS hypervisor update broke the AMI (late 2016) Fixed in 6.1, thanks to Mike Belopuhov and @esdenera Many improvements in 6.2 (performances)
  • 6. @eurobsdcon Where does my public key come from? AWS exposes a metadata web server at http://169.254.169.254
  • 7. @eurobsdcon OK but how did it get into authorized_keys? Linux distributions rely on cloud-init • http://cloudinit.readthedocs.io/ • Origin in ubuntu cloud • Cloud-init does a lot of things and is very Linux specific Enters ec2-init by @ajacoutot • Minimal cloud-init implementation • https://github.com/ajacoutot/aws-openbsd When is it run? • By netstart (very early in the boot process)
  • 8. @eurobsdcon A quick look at ec2-init mock_pf open if [[ $(mock meta-data/instance-id) != $(cat /var/db/ec2-init 2>/dev/null) ]]; then ec2_instanceid ec2_pubkey ec2_hostname ec2_userdata ec2_fingerprints sysclean fi mock_pf close open pf to allow access to metadata server check if already configured write instance id to db file to set instance as "configured" write public key in authorized_keys file set hostname from AWS metadata execute userdata (more on that later) write rc.firsttime script to display ssh fingerprints after boot clean up instance (remove old ssh keys, logs, dhcp data)
  • 9. @eurobsdcon What about this ec2-user? Standard behavior on AWS • No connection as root • ec2-user is used for Amazon Linux, Redhat, Fedora, Centos, FreeBSD • Debian uses "admin" and ubuntu, "ubuntu" ec2-user has unlimited doas with "nopass" $ cat /etc/doas.conf permit nopass ec2-user
  • 10. @eurobsdcon Let's use this instance Install terraform $ pkg_info -Q terraform terraform-0.9.2 $ doas pkg_add terraform Terraform? • Describe infrastructure components and build them • « puppet » for infrastructure • Alternatives: cloudformation / heat OK let's set up something with it $ doas pkg_add git $ git clone git@github.com:lbernail/eurobsdcon2017.git $ terraform init $ terraform plan $ terraform apply
  • 11. @eurobsdcon Under the hood Bastion eu-west-1a Public subnets Private subnets eu-west-1b Public subnets Private subnets resource "aws_vpc" "main" { cidr_block = "10.100.0.0/16" } resource "aws_subnet" "public" { vpc_id = "${aws_vpc.main.id}" cidr_block = "10.100.1.0/24" tags { Name = "Main" } } resource "aws_instance" "bastion" { ami = "${var.bastion_ami}" instance_type = "t2.micro” subnet_id = "${aws_subnet.public.id}" vpc_security_group_ids = [ "${aws_security_group.bastion.id}" ] tags { Name = "bastion" } }
  • 12. @eurobsdcon 12 Bastion Public subnets NAT GW Public subnets Public subnets What did we just build? Private subnets Private subnetsPrivate subnets
  • 13. @eurobsdcon 13 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS Let’s create a consul cluster 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent
  • 14. @eurobsdcon A quick intro to consul From Hashicorp (authors of vagrant, packer, terraform, vault) Used for microservices • Service discovery • Key-value store for configuration Resilient • Distributed system • Built on RAFT
  • 15. @eurobsdcon Let's look at it $ ssh 10.0.128.100 $ consul members
  • 16. @eurobsdcon OK but how did it all get configured? Userdata: script to bootstrap AWS instances (executed by ec2-init) $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh pkg_add consul cat > /etc/consul.d/config.json <<EOF { "bootstrap_expect": 3, "server": true, "node_name": "consul0", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF rcctl enable consul cat >> /etc/rc.firsttime <<EOF rcctl start consul EOF install consul this node is a server called consul0 it will wait for 2 other servers to bootstrap cluster rely on AWS API to discover members - instances have a "tag" - instances have a role granting them access to AWS APIs "enable" writes to /etc/rc.conf.local but rc parses rc.conf.local very early so consul won't start => we use rc.firsttime
  • 17. @eurobsdcon What can we do with this? Dynamic VPN configuration with consul-template • A companion tool to Consul • Watches for key changes in Consul • Generates a file from a template • Optionally executes a command when the file changes Let's build a VPN gateway $ cd ../vpn $ terraform init $ terraform apply
  • 18. @eurobsdcon 18 Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS New architecture 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10
  • 19. @eurobsdcon What is this VPN server? 1/2 $ ftp -MVo - http://169.254.169.254/latest/user-data #!/bin/sh rcctl enable ipsec rcctl enable isakmpd rcctl set isakmpd flags -K install -m 0600 /dev/null /etc/ipsec.conf pkg_add consul cat > /etc/consul.d/config.json <<EOF { "server": false, "node_name": "vpn", "retry_join_ec2" : { "tag_key": "ConsulCluster", "tag_value": "Consul" } } EOF enable ipsec install consul configure it as a client
  • 20. @eurobsdcon What is this VPN server? 2/2 pkg_add consul-template cat > /etc/consul-template.d/default.conf << EOF consul { address = "127.0.0.1:8500" } template { source = "/etc/consul-template.d/ipsec.ctmpl" destination = "/etc/ipsec.conf" perms = 0600 command = "ipsecctl -f /etc/ipsec.conf || echo Invalid ipsec configuration" } EOF # Template cat > /etc/consul-template.d/ipsec.ctmpl << 'EOF' {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} srcid 34.252.210.92 psk "{{ .psk }}" {{ end -}} {{ end }} EOF install consul-template use local consul Template configuration - template file - target - command to execute on change template file to generate ipsec.conf
  • 21. @eurobsdcon The template file {{ range tree "vpn" | explode -}} {{ if and .cidrblock .endpoint .psk -}} ike esp from 10.0.0.0/16 to {{ .cidrblock }} peer {{ .endpoint }} psk "{{ .psk }}" srcid 34.252.210.92 {{ end -}} {{ end }} get all keys under "vpn" iterate over them transform items in maps if we have values for all necessary keys generate ipsec configuration configuration keys local public IP (injected by terraform) vpn/ /us/ /cidrblock = 172.30.0.0/16 /endpoint = 32.32.32.32 /psk = demo ike esp from 10.0.0.0/16 to 172.30.0.0/16 peer 32.32.32.32 psk "demo" srcid 34.252.210.92
  • 22. @eurobsdcon Let's look at this $ consul members $ rcctl check consul consul_template $ cat /etc/consul-template.d/ipsec.ctmpl $ doas cat /etc/ipsec.conf $ doas ipsecctl -s all
  • 23. @eurobsdcon Building our VPN Bastion Public subnets NAT GW Public subnets Public subnets CAg (UI) CS 10.0.128.100 consul0 CS 10.0.129.100 consul1 CS 10.0.130.100 consul2 10.0.128.200 consul-agent VPN 10.0.0.10 Ireland, 10.0.0.0/16 Virginia, 172.30.0.0/16 EIP: 34.252.210.92 Demo 172.30.x.y allow ICMP from 10.0.0.0/16
  • 24. @eurobsdcon Conclusion and perspectives What could be improved in this example • Security of consul: SSL / ACL My (limited) usage of OpenBSD on AWS • VPN Gateways • DNS proxies • And now consul • Many potential other use-cases Look at / Fork the code of this demo on github https://github.com/lbernail/eurobsdcon2017 Questions ? @lbernail