Deployment

Basics

Foundation platforms

OSGi - Eclipse is based on the OSGi specification, implemented as Equinox, which is the foundation for Eclipse
Apache Felix - OSGi open source implementation

Application protection

NGNIX - API gateway

NGINX- Open Source

Content server, reverse proxy

NGINX+- commerical version

Ngnix Plus - software load balancer, web server, and content cache built on top of open source NGINX

Comes with NGNIX API, which allows to talk to a running NGNIX server and set-up a monitoring dashboard etc

Ngnix Controller - control-plane solution that manages the NGINX data plane
Ngnix Unit - dynamic application server, supports a RESTful JSON API and Go, Node.js, Java, Perl, PHP, Python, and Ruby, foundation for a service mesh
Ngnix WAF - protects layer 7 attacks, based on ModSecurity open source software
Ngnix Amplify - SaaS-based monitoring tool for the open source NGINX software and NGINX Plus

ModSecurity

ModSecurity - WAF, rooted in Apache
modsecurity - documentation and wiki

provides 'SecRules' for real-time monitoring, logging, and filtering of HTTP
base rules can be derived e.g. from the OWASP ModSec Core Rule Set project

OWASP ModSec CRS project - OWAPS web site
OWASP ModSec CRS - project dedicated website
ModSec tutorial including CRS

Other

Zuul - Netflix API gateway

Zuul is an L7 application gateway that provides capabilities for dynamic routing, monitoring, resiliency, security, and more. Wiki: https://github.com/Netflix/zuul/wiki

Web and Application Servers - from C to Jave to Jave EE

Popular servers

Apache, the HTTP server written in C
Shiro - Java Authentication, Authorisation and Cryptography
Apache Tomcat - HTTP server in Java, servlet+JSP engine

Tomcat provides a 'pure Java' HTTP server, started as Java servlet reference implementation
Contains: Catalina (servlet container), Jasper (JSP engine) and Coyote (http connector)
Can be extended with OpenEJB to become an EE server (as WebLogic)

Glassfish - the Sun J2EE reference implementation
JBoss - the JBoss Application Server (J2EE) bundled with Tomcat as web server, Hibernate for persistence
Drooles - rules engine, constraint expressions (apparently used by Agfa-H)

Struts framework for Java EE (presentation, application, db framework)

DevOps

Jenkins

A CD/CI solution. In Continuous Integration, the system completes a build, test, deploy, and integration in response to every single commit.

Jenkins

self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software
Jenkins Security - the Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins
Jenkins Security admin

Puppet

Puppet basics

Puppet is a software configuration management tool which includes its own declarative language to describe system configuration. The Puppet platform consists of

Puppet Server (Master)
Puppet Agent (Client)
Hiera - a built-in key-value configuration data lookup system, used for separating data from Puppet code
Facter - discovers and reports per-node facts, which are available in Puppet manifests as variables
PuppetDB - stores all Puppet data such as facts, catalogs, reports

Puppet information

Puppet - configuration management and continuous deployment
Puppet overview
Puppet built-in PKI

Puppet - Wikipedia

To-be

The user describes the desired to-be state in modules, using Puppet's declarative language or a Ruby DSL.
Modules manage a specific technology and serve as the basic building blocks of Puppet desired state management.
Modules have a specific directory structure (/data, /manifests, /lib, /template, ...) to contain Puppet classes, defined types, tasks, task plans, functions, resource types and providers, ...
Classes are named chunks of Puppet code and are the primary means by which Puppet configures nodes.
Manifests contain the init.pp configuration file
Puppet discovers the system information via Facter, and compiles the manifests into a system-specific catalog containing resources and resource dependency, which are applied against the target systems.
Facter is Puppet’s profiling library, discovering per-node facts, which are available in manifests as variables.

A normal Puppet run has the following stages:

An agent sends facts from Facter to the master.
Puppet builds a graph of the list of resources and their interdependencies, representing the order in which they need to be configured, for every client.
The master sends the appropriate catalog to each agent node.
The as-is of the system is then configured according to the to-be described in manifest file.
If the system is already in the desired state, Puppet will not make any changes, making transactions idempotent.
Finally, the agent sends a report to the master, detailing what changes were made and any errors that occurred.

Puppet secret protection with Hashicorp

Vault by Hashicorp
Vault documentation

Vault stores static secrets and can generate dynamic ones such as for cloud access
Vault is usable via CLI and HTTP API, one authenticates against Vault using a token
And there is a Vault UI

Hiera - a hierarchical database

Hiera basics

Hiera- a built-in key-value configuration data lookup system, used for separating data from Puppet code

Puppet uses Hiera to do two things:
- Store the configuration data in key-value pairs
- Look up what data a particular module needs for a given node during catalog compilation
- This is done via:
- Hiera’s hierarchical lookups follow a 'defaults, with overrides' pattern, meaning you specify common data one time, and override it in situations where the default won’t work.
- Hierarchies are configured in a hiera.yaml configuration file

Hiera-eyaml for yaml file encryption

Hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files to be used by Puppet. The command 'eyaml createkeys’ creates a keypair in the default location (/etc/puppet/keys/private_key.pkcs7.pem and /etc/puppet/keys/public_key.pkcs7.pem).

If using Hiera with Puppet, the puppetmaster needs to access these keys to perform decryption when the puppet agent runs on a remote node. So for this reason, a suggested location might be to store them in /etc/puppetlabs/puppet/eyaml or /var/lib/puppet/keys depending on your setup.

eyaml - encrypting sensitive puppet data
eyaml github - set-up and usage
eyaml - usage

YAML

YAML (a recursive acronym for "YAML Ain't Markup Language") is a human-readable data-serialization language. It is commonly used for configuration files and in applications where data is being stored or transmitted. YAML targets many of the same communications applications as XML but has a minimal syntax. It uses both Python-style indentation to indicate nesting, and a more compact format that uses [...] for lists and {...} for maps[1] making YAML 1.2 a superset of JSON.

Unlike JSON, which can only represent data in a hierarchical model with each child node having a single parent, YAML also offers a simple relational scheme that allows repeats of identical data to be referenced from two or more points in the tree rather than entered redundantly at those points.

YAML is purely a data-representation language and thus has no executable commands

YAML - YAML Ain't Markup Language
YAML - Wikipedia
YAML example

Choria

An orchestration and backplane system

Choria - cmd: 'mco'
Choria demo set-up

Foreman

Lifecycle management tool for physical and virtual servers

The Foreman

Hybrid cloud
Works with Puppet, Salt and Chef

Atlassian

Bitbucket a Git-based source code repository hosting service owned by Atlassian
Bamboo a continuous integration and deployment tool

Selected vendors

Also refer to general IT Vendors for AppServers, e.g. Oracle's Application Server, IBM's WebSphere, SAP's NetWeaver, etc