Avoid Shellshock and the Bash Plague with ManageIQ

Unless you've been under a rock the last few days, you've no doubt heard of the Shellshock vulnerability affecting a large number of *nix machines with the Bash shell installed. Note: Bash doesn't even need to be the default shell - plenty of 'Dash' users are also affected. Luckily, there's a way to avoid this mess - a policy management engine in ManageIQ, combined with VM fleecing, that lets you route around the vulnerability, turning off VMs that are vulnerable. This video gives you the goods:

That video comes courtesy of John Hardy, all-around good guy (mostly) and CloudForms man about town. He wrote up an accompanying blog post that includes the bits needed for implementation:

Fancy finding out really quickly if your [linux boxes] are patched correctly? Even if they are turned off right now? Wow that is clever not even the virtual infrastructure players can do that…I know…its cool. Here it is..

Using Cloudforms (or ManageIQ for FREE!) download this policy and import it into Control. Then assign the policy to your targets. The policy will only check Linux systems, though it could do with a makeover to check only RHEL 6.5 systems too.

Download and import this policy profile (GitHub.com)

Protect yourselves out there!

Sprint 12 Demo Results and Video

We just finished up the Sprint 12 demo, ended September 9.

If you want to read the highlights of the sprint demo, notes are posted below:

Sprint 12 Demo Highlights

  • Overview
  • Sprint Statistics
  • User Interface
  • Automate
  • Appliance
  • REST API
  • Fleecing

Sprints

  • 3 weeks long each ending on a Monday
  • GitHub Milestone per Sprint
  • GitHub Milestone called Roadmap

Sprint 12 Ended Sept 8

  • links to sprint issues
  • Over 90 Pull Requests Merged!
  • 63 issues labeled as “bugâ€
  • 15 issues labeled as “applianceâ€
  • 22 issues labeled as “enhancementâ€

User Interface

  • Form Buttons (css based)
  • Patternfly modified Bootstrap

Automate

  • EMS Refresh (Amazon virtualization type)
  • Exposed cloud relationship in service models
  • Persistent state data through retries
  • Automate Model changes
  • High level rubyrep changes

Amazon Virtualization Type

Service Models: Cloud Relationship

class Flavor
    expose :ext_management_system
    expose :vms
end

class FloatingIp
    expose :ext_management_system
    expose :vm
    expose :cloud_tenant
end

class SecurityGroup
    expose :ext_management_system
    expose :cloud_network
    expose :cloud_tenant
    expose :firewall_rules
    expose :vms
end
class AvailabilityZone
    expose :ext_management_system
    expose :vms
    expose :vms_and_templates
    expose :cloud_subnets
end

class CloudNetwork
    expose :ext_management_system
    expose :cloud_tenant
    expose :cloud_subnets
    expose :security_groups
    expose :vms
end
class CloudSubnet
    expose :cloud_network
    expose :availability_zone
    expose :vms
end
class EmsCloud
    expose :availability_zones
    expose :cloud_networks
    *   expose :cloud_tenants
    expose :flavors
    expose :floating_ips
    expose :key_pairs
    expose :security_groups
end

Persistent state data through retries

  • New automate methods for state machine methods:
    • state_var_exist?(var_name)
    • set_state_var(var_name, value)
  • get_state_var(var_name)

Example:

if $evm.state_var_exist?(“test_dataâ€)
    test_data = $evm.get_state_var(“test_dataâ€)
    # TODO: Something interesting
else
    # First time through, initialize data
    $evm.set_state_var(“test_dataâ€, 1)
end

Automate Model changes

  • Auto-placement run from a state machine step for Cloud and Infrastructure provisioning
  • Added common "Finished" step to all Automate state machine classes

Added eligible* and set* methods for cloud resources to provision task service model

  • eligible_availability_zones
  • eligible_cloud_networks
  • eligible_cloud_subnets
  • eligible_cloud_tenants
  • eligible_floating_ip_addresses
  • eligible_guest_access_key_pairs
  • eligible_instance_types
  • eligible_security_groups

Automate changes

Console

  • Config temp disk for OpenStack Fleecing
  • Key generation

Security

  • CertMonger Integration
  • IPA Research for Single Sign-On
  • Appliance

Appliance

  • Ruby 2.0 changes (compatible with 1.9.3)
  • Logrotate now rotates our logs!
  • Gem upgrades for bugs/enhancements
  • haml
  • net-ldap
  • net-ping
  • Added/labelled issues for ruby2.x/rails4.x

REST API

  • Update for Authentication
    • With External Authentication (httpd) enabled against an IPA Server
    • fixed bug in the REST API and Appliance Console to honor the external credentials like the Web UI when targeting the /api entrypoint

VM Fleecing

XFS Filesystem Support

Moving on From Gluster

All good things must come to an end. I can say with no equivocation that the last three years have been the most rewarding from a work perspective than any other job I’ve ever had. When I accepted this challenge in May, 2011, I had no idea that the project and community would blossom as […]