Provisional Talks
Shipping your product with Puppet code - Julien Pivotto
This talk will give you advices on how to successfully ship your products together with the puppet code to deploy them. It will also show you the advantages of that method and give some general advices. This talk will target products that are shipped outside of your company, in an environment you do not manage entirely, so it is not another "Puppet 101" talk.
Intrusion Detection using the Linux Audit System - Stephen Quinney
Anyone who has battled with SELinux will be aware of the existence of the Linux Audit system but few people look further to discover the other useful features. The Linux Audit system provides the means to monitor all system activity at a low level with great detail. For example, it can be used to monitor any file access or the usage of any syscall. This means that it can be used to detect any attempts to compromise a system. This talk will demonstrate these useful features using various practical examples of how the system can be configured.
State of PostgreSQL Database 2015 - Dr Gianni Ciolli
Learn about latest news from the PostgreSQL database project, including an overview of features in most recent production release (9.4) and development releases (9.5). The presentation will include news from major development projects such as Bi-Direction Replication and AXLE for business intelligence. We’ll cover who's using Postgres, how they're using it, where they're using it and what they say.
CANCELED - Virtual Machine Lifecycle Management with Ansible – Toshaan Bharvani
This presentation is about a deployment of large number of physical and virtual machine. The setup uses KVM as a hypervisor for the virtual machines with libvirt as virtualization management and lower hardware level backend connections to interact with the physical machines. Machines are defined for specific functions and use templates to allow easy creation and setup. Web servers run a combination of Apache and nginx. Database machines run both MySQL and PostgreSQL databases for the specific applications. Bind is used to name machines and address them correctly. Samba and NFSv4 is used for global file serving with distributed frontends. For single user authentication OpenLDAP is used as for security and protection usage of SELinux and IPTables keep machines more secure. The whole setup, based mainly a combination of ansible, scripts and git.
Kerberos - Protocol and Practice – Kenneth MacDonald
Wikipedia tells us "Kerberos /ˈkɛərbərəs/ is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner."
You may be using Kerberos authentication every day without realising it as many major identity services implement it: RedHat's Free IPA, Apple's OS X to Microsoft's Active Directory. This session will help you build a deeper understanding of Kerberos.
An entertaining walk through the protocol will help to clear the fog of jargon surrounding the topic: keys, principals, realms, tickets, keytabs, credential caches, etc.
I will also describe an enhancement to the MIT Kerberos KDC which allows the University of Edinburgh to devolve some principal management across the organisation.
Open Source Monitoring with Icinga – Bernd Erk
Most sys admins have a love-hate relationship with Icinga/Nagios based monitoring solutions. Utilitarian and backed by a sizable community, users have learned to live with shortcomings in scaling, configuration and integration with tools common to modern architecture.
After tiring of fiddly hacks and convoluted configs, the Icinga team decided to build a new, accessible and flexible core. Icinga 2 was born – infinitely and easily scalable, even as a cluster-ready solution, with load balancing, automated replication and business process monitoring out of the box.
The talk will introduce Icinga 2’s innovative multi-threaded architecture and explain how it allows countless clusters of monitoring instances to run at speeds as yet unseen, all while minimizing maintenance. It will demonstrate how popular tools such as Graphite, Logstash and Puppet integrate better and easier than ever before. In addition to that the talk will introduce the new Icinga Web 2 interface and give a brief introduction into the technical architecture. A live demo will follow and well as a look into development plans to come.
Federated Access Management - Mark Cairney
Federated Access Management (FAM) systems have been in use in the Library and Educational IT communities for a number of years and have came about from a need to have common standards to allow external users access to services.
This is a high-level discussion with a brief history of FAM, how it ties in with an organisation's existing Single-Sign-On (SSO) infrastructure, the role that the Federation has in maintaining the trust relationships between organisation's Identity Providers (IdPs) and Service Providers (SPs) and now between federations and how it's being used by the wider (non-academic) community.
Beyond Blue-Green: Migrating a legacy application to CI and the Cloud – Stu Teasdale
This talk outlines how a small business took an existing application with months long release cycles, introduced Continuous Inegration, regular releaes, then migrated it to AWS from physical hardware.
Creating Tribblix – Peter Tribble
When the OpenSolaris project was closed, development continued under the illumos banner, and there is now a complete family of distributions based on illumos. The author will survey the illumos landscape,highlight recent developments, and describe the whys and wherefores, the trials and tribble-ations, of creating an eponymous distribution in his spare time.
An introduction to Btrfs – Richard Melville
With the availability of relatively cheap, large capacity hard disks, the likelihood of running out of disk space is relatively low. However, we may be in the process of re-organising our data storage by increasing the number, or capacity, of our disk array. Or, we may wish to substitute SSDs for our conventional HDDs.
Anybody who has run out of disk capacity will know just how frustrating it is. Equally, the re-organisation of our data is also time consuming and can be fraught with difficulty. If we have a RAID we can, of course, remove and replace drives on the fly as they become full, or even fail. With LVM we can extend, or shrink, file systems on the fly by changing the capacity of the data pool.
Wouldn't it be great, though, if we could combine all these functions, and more besides, into one set of tools? Furthermore, what if we could have these tools working at the file system level, rather than on a virtual layer above the file system?
Well, Sun Microsystems thought so too and developed the ZFS file system for use in its Solaris OS. Sun is now owned by Oracle but ZFS is still very much alive. Unfortunately, for GNU/Linux users, the CDDL licence that came with ZFS was not compatible with the GPL, so inclusion in the Linux kernel was just not possible. ZFS can be built as a module, but this is not very convenient for a file system, hence, the birth of Btrfs.
Btrfs could be seen as a ZFS for GNU/Linux. It is younger, and therefore not as complete as ZFS, but it is getting there. Linus Torvalds claims that it will be the default GNU/Linux file system when it is ready for production use, so it is worth becoming familiar with it now. The Btrfs file system is built into recent kernels, and additional userland tools, btrfs-progs, are provided for manipulating the file system.
This talk will be a basic introduction for those not yet familiar with the Btrfs file system.
Linux centralized identity and authentication interoperability with AD – Pieter Baele
Most authentication implementations either use 'plain old' LDAP, sometimes in combination with Kerberos and/or Samba. Lately there is also an interest in FreeIPA, especially on RHEL based platforms.
We created a setup using the LDAP server OpenDJ, AD Kerberos, the SSSD client system daemon and additional tools & scripts. This setup has been in use for about 2 years.
This talk will cover: - our requirements - design choices - an overview of the architecture, server and client-side - automation - administration and organization of entries - monitoring, using separate methods united in Zabbix. - problems we encountered
CANCELED - Intrusion detection through backups (and other security tricks) – Wim Godden
With more and more systems falling victim to hacking and data theft, you've probably read the list of things (not) to do to secure your system. But there are some special techniques most system engineers hardly know. In this talk we'll go through some of these special techniques that will help you to detect hacks AND recover from them quickly.
Puppet as a Legacy System – Nick Moriarty
This talk will discuss the advantages and issues around being an early adopter of new technology, using Puppet as an example to draw on our own experiences. Having used Puppet for over 5 years now, we've seen the language and capabilities evolve greatly. Coupled with the increasing size and diversity of our systems, this has led to a number of challenges surrounding upgrades and maintainability. We're currently in the midst of a major upgrade, which has provided us with an opportunity to step back and look at current methodologies is use elsewhere, to determine how we transform our existing code and infrastructure to take advantage of newer features - all without breaking the legacy infrastructure and keeping sysadmins happy.
Enhancing ssh for Security & Utility - David Proffitt
A stock installation of the secure shell server and client may not be as flexible or secure as you would like but there are many options that you may not be aware of, including:
Aliases Forwarding Conditional Matches Rate Limiting Access Control Disabling features you don't need Dealing with weak passwords Limiting users to specific tasks Interaction with PAM
Build management with a dash of prolog - Matt S. Trout
A finely honed hatred of every systems tool I have to work with led me to experiment with alternative ideas for build, configuration and deployment management.
Last year, I presented DX, a hybrid logic programming / planning language concept largely inspired by prolog, with a little help from haskell and lisp.
This year, it's time to show you something that actually runs.
Since it seems to me that any deployment tool should be capable of deploying itself, my first target has been perl dependency management and deployment.
Today I'd like you to meet cdx, a DX-based deployment tool. Built from the ground up to deal with full dependency graph resolution, conflict handling, it produces re-usable build artifacts so final deployment is pure file copying.
In the process I'll be covering the underlying conceptual model of the DX engine, and how it maps onto the goals of a build system - and showing how you can then glue it directly to indepedent code that does the heavy lifting and can be tested separately.
Trust me, it'll be fun. I'll bring tissues in case anybody's head explodes.