Deployment
See also architecture solutions.
Contents
Foundation platforms
- OSGi - Eclipse is based on the OSGi specification, implemented as Equinox, which is the foundation for Eclipse
- Apache Felix - OSGi open source implementation
Application protection
ModSecurity
- ModSecurity - WAF, rooted in Apache
- modsecurity - documentation and wiki
- provides 'SecRules' for real-time monitoring, logging, and filtering of HTTP
- base rules can be derived e.g. from the OWASP ModSec Core Rule Set project
NGNIX - API gateway
- NGINX- Open Source
- Content server, reverse proxy
- NGINX+- commerical version
- Ngnix Plus - software load balancer, web server, and content cache built on top of open source NGINX
- Comes with NGNIX API, which allows to talk to a running NGNIX server and set-up a monitoring dashboard etc
- Ngnix Controller - control-plane solution that manages the NGINX data plane
- Ngnix Unit - dynamic application server, supports a RESTful JSON API and Go, Node.js, Java, Perl, PHP, Python, and Ruby, foundation for a service mesh
- Ngnix WAF - protects layer 7 attacks, based on ModSecurity open source software
- Ngnix Amplify - SaaS-based monitoring tool for the open source NGINX software and NGINX Plus
Other
- Okta - oauth/ngnix context-based security, rbac, API ... Apigee, AWS, ...
- ModSecurity - WAF, rooted in Apache
- modsecurity - documentation and wiki
- provides 'SecRules' for real-time monitoring, logging, and filtering of HTTP
- base rules can be derived e.g. from the OWASP ModSec Core Rule Set project
- Zuul - Netflix API gateway
- Zuul is an L7 application gateway that provides capabilities for dynamic routing, monitoring, resiliency, security, and more. Wiki: https://github.com/Netflix/zuul/wiki
Web and Application Servers - from C to Jave to Jave EE
Popular servers
- Apache, the HTTP server written in C
- Shiro - Java Authentication, Authorisation and Cryptography
- Apache Tomcat - HTTP server in Java, servlet+JSP engine
- Tomcat provides a 'pure Java' HTTP server, started as Java servlet reference implementation
- Contains: Catalina (servlet container), Jasper (JSP engine) and Coyote (http connector)
- Can be extended with OpenEJB to become an EE server (as WebLogic)
- Glassfish - the Sun J2EE reference implementation
- JBoss - the JBoss Application Server (J2EE) bundled with Tomcat as web server, Hibernate for persistence
- Drooles - rules engine, constraint expressions (apparently used by Agfa-H)
- Struts framework for Java EE (presentation, application, db framework)
- IBM WAS - also OpenSource Geronimo
- IBM WebSphere.org
- SAP - NetWeaver AS
- Oracle (ex-BEA) WebLogic
- BEA e-docs
Also refer to general IT Vendors for AppServers, e.g. Oracle's Application Server, IBM's WebSphere, SAP's NetWeaver, etc
DevOps
Jenkins
A CD/CI solution. In Continuous Integration, the system completes a build, test, deploy, and integration in response
to every single commit.
- Jenkins
- self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software
- Jenkins Security - the Jenkins project is a CVE Numbers Authority (CNA) for Jenkins and Jenkins plugins
- Jenkins Security admin
Puppet
Puppet basics
Puppet is a software configuration management tool which includes
its own declarative language to describe system configuration.
The Puppet platform consists of
- Puppet Server (Master)
- Puppet Agent (Client)
- Hiera - a built-in key-value configuration data lookup system,
used for separating data from Puppet code
- Facter - discovers and reports per-node facts, which are available in Puppet manifests as variables
- PuppetDB - stores all Puppet data such as facts, catalogs, reports
Puppet information
- Puppet - configuration management and continuous deployment
- Puppet overview
- Puppet built-in PKI
- Puppet - Wikipedia
- To-be
- The user describes the desired to-be state in modules, using Puppet's declarative language or a Ruby DSL.
- Modules manage a specific technology and serve as the basic building blocks of Puppet desired state management.
- Modules have a specific directory structure (/data, /manifests, /lib, /template, ...) to contain Puppet classes, defined types, tasks, task plans, functions, resource types and providers, ...
- Classes are named chunks of Puppet code and are the primary means by which Puppet configures nodes.
- Manifests contain the init.pp configuration file
- Puppet discovers the system information via Facter, and compiles the manifests
into a system-specific catalog containing resources and resource dependency, which are applied against the target systems.
- Facter is Puppet’s profiling library, discovering per-node facts, which are available in manifests as variables.
- A normal Puppet run has the following stages:
- An agent sends facts from Facter to the master.
- Puppet builds a graph of the list of resources and their interdependencies, representing the order in which they need to be configured, for every client.
- The master sends the appropriate catalog to each agent node.
- The as-is of the system is then configured according to the to-be described in manifest file.
- If the system is already in the desired state, Puppet will not make any changes, making transactions idempotent.
- Finally, the agent sends a report to the master, detailing what changes were made and any errors that occurred.
- Puppet secret protection with Hashicorp
- Vault by Hashicorp
- Vault documentation
- Vault stores static secrets and can generate dynamic ones such as for cloud access
- Vault is usable via CLI and HTTP API, one authenticates against Vault using a token
- And there is a Vault UI
Hiera - a hierarchical database
Hiera basics
- Hiera- a built-in key-value configuration data lookup system,
used for separating data from Puppet code
- Puppet uses Hiera to do two things:
- Store the configuration data in key-value pairs
- Look up what data a particular module needs for a given node during catalog compilation
- This is done via:
- Automatic Parameter Lookup for classes included in the catalog
- Explicit lookup calls
- Hiera’s hierarchical lookups follow a 'defaults, with overrides' pattern, meaning you specify common data one time,
and override it in situations where the default won’t work.
- Hierarchies are configured in a hiera.yaml configuration file
Hiera-eyaml for yaml file encryption
Hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files to be used by Puppet.
The command 'eyaml createkeys’ creates a keypair in the default location
(/etc/puppet/keys/private_key.pkcs7.pem and /etc/puppet/keys/public_key.pkcs7.pem).
If using Hiera with Puppet, the puppetmaster needs to access these keys to perform decryption when the puppet agent runs on
a remote node. So for this reason, a suggested location might be to store them in /etc/puppetlabs/puppet/eyaml or
/var/lib/puppet/keys depending on your setup.
YAML
YAML (a recursive acronym for "YAML Ain't Markup Language") is a human-readable data-serialization language.
It is commonly used for configuration files and in applications where data is being stored or transmitted.
YAML targets many of the same communications applications as XML but has a minimal syntax.
It uses both Python-style indentation to indicate nesting, and a more compact format
that uses [...] for lists and {...} for maps[1] making YAML 1.2 a superset of JSON.
Unlike JSON, which can only represent data in a hierarchical model with each child node having a single parent,
YAML also offers a simple relational scheme that allows repeats of identical data to be referenced from two or more points
in the tree rather than entered redundantly at those points.
YAML is purely a data-representation language and thus has no executable commands
Choria
An orchestration and backplane system
Foreman
Lifecycle management tool for physical and virtual servers
- The Foreman
- Hybrid cloud
- Works with Puppet, Salt and Chef
Atlassian
- Bitbucket a Git-based source code repository hosting service owned by Atlassian
- Bamboo a continuous integration and deployment tool
Selected vendors
Also refer to general IT Vendors for AppServers, e.g. Oracle's Application Server, IBM's WebSphere, SAP's NetWeaver, etc