MANAGING

MIDDLEWARE WITH

PUPPET Nate Loomis

key topics

WHAT IS MIDDLEWARE?

middleware is…

middleware is…

middleware is…

New Node Needed

App Deployed Provisioned

Middleware Installed

The step after the provisioned state where the middleware

is installed is the key step in determining a server’s role.

Platform Ready

middleware is…

• Other names for middleware • Application Infrastructure

• Peer-to-Peer Software

• Application Software

• Types of middleware • Web Server software (like Apache HTTPD)

• Application Server software (like JBoss Application Server or KONY Mobile Application Server)

• Content Management systems (like Atlassian Confluence)

• Messaging servers, MOMs, ESBs (like Apache ActiveMQ)

• Orchestration (like Cisco Process Orchestrator)

• API Management (like IBM API Management)

• Tools that support application development and delivery (like Jenkins CI)

middleware is…

Middleware is the software layer that lies between the

operating system and the applications on each side of a

distributed computer network. Typically, it supports

complex, distributed business software applications.

Source: Wikipedia

middleware is…

xkcd.com comic strip

WHY IS ACTIVE STATE

MANAGEMENT OF

MIDDLEWARE IMPORTANT?

why active management is important

Source: Popper, N (Aug 2, 2012) Knight Capital Says Trading Glitch Cost It $440 Million. The New York Times Company (online)

why active management is important

Source: Securities and Exchange Commission,

sec.gov/litigation

why active management is important

• Misconfiguration of middleware can be costly.

• Middleware is also an ideal target.

CNET: DDoS attacks intensified in first half of 2014

The volume and intensity of DDoS attacks in the first half of

the year reached new heights…

CNET: Heartbleed bug: What you need to know

The security vulnerability has implications for users across the

Web…

CNET: New DoS attack uses Web servers as zombies

Imperva says Web server-based botnet offers more attack

power…

why active management is important

Therefore, patching

middleware is

critical

• Finding the stable

version

• Patching rapidly

without stepping on

the app-specific

configuration

Active management

is something to

consider

Source: Top 50 Vulnerable products,

CVEdetails.com – data from MITRE’s CVE

website

WHAT ARE SOME SPECIFIC

CHALLENGES TO MANAGING

MIDDLEWARE?

specific challenges

• More than one software development lifecycle (SDLC)

• Ownership of directories with an automated approach

• Maintaining idempotency

• Managing customizations

• Naming conflicts

• Middleware configuration can be changed in three key events

1. Patching or update to standards

2. Prod fix made directly to server

3. Release of application with specific config needs

more than one software development lifecycle

Patching Support App Release

ownership of directories

• Segmenting ownership

ownership of directories

• Backing module code

…

maintaining idempotency

Idempotence is a property where certain operations can

be applied multiple times without changing the result.

• Example of idempotency = absolute value

abs(abs(abs(-1))) = 1

managing customizations

• How do we adopt a strategy that allows us to accommodate specific corporate requirements and still stay close to the community or forge module?

• Examples of typical customizations necessary for middleware:

1. Different package (often products must be hardened according to security baselines)

2. Asset tagging

3. Test automation hooks

4. Addition of the SSL Certificate and related files

5. Addition of plugins (like apache modules)

6. Support for multiple product versions

7. Modified directory permissions

8. Redirection of the logs to $logroot

9. Defaults for specific file resources

10. Custom functions or classes

naming conflicts

• Multiple middleware teams

• Multiple module authors

• Every class or defined type name maps directly to the

filepath within Puppet’s modulepath.

• So how do we avoid duplicate resource declarations or

path conflicts?

WHAT HAVE WE LEARNED

THAT MAY BE USEFUL TO

YOU?

lessons learned

1. You must bring the team members supporting the

product along with you.

2. Only one system and team should be accountable for

the configuration of the product.

3. Spend the time on the module to ensure it is

idempotent.

4. Isolate company customizations in a wrapper module..

5. Give the rest back to the community.

isolate customizations in a wrapper

List of typical customizations from before: 1. Different package (often products must be hardened according to

security baselines)

2. Asset tagging

3. Test automation hooks

4. Addition of the SSL Certificate and related files

5. Addition of plugins (like apache modules)

6. Support for multiple product versions

7. Modified directory permissions

8. Redirection of the logs to $logroot

9. Defaults for specific file resources

10. Custom functions or classes

Wrapper module approach

• puppet-apache

• puppet-wf_apache

isolate customizations in a wrapper

give the rest back to the community

• Give back

• Your custom code becomes standard, community-supported code

• Growth opportunity for your team members

Wells Fargo IT and Legal have worked to determine a path

for this to happen. Submission with corporate emails is a

requirement.

QUESTIONS?