Advanced Policy State Management

Brad Ascar

Red Hat Field Product Manager - CloudForms

Agenda

•  What is policy •  Use Case Overview •  Use Case Detailed •  How it Works •  Take Away

•  Compliance Policy •  Questions

Laying the groundwork

People have a different view of what policy management is: ManageIQ policy can be categorized into 3 buckets, but you can add these at your own pace and within your own scope. Alerts – passive, let someone or something know when something is not right with thing like email, SNMP traps. Compliance – regulatory types of things, pass/fail, reporting Policy enforcement – actually remediating conditions in your environment. Things like someone or something tries to clone a workload that isn’t allowed, ManageIQ steps in and stops it from doing the action.

Laying the groundwork 2

Another key piece to policy is you can decide the scope where you apply this. You choose the portions of infrastructure or cloud that the policy applies to, and then use tagging as part of the conditions. Ex. You enable a policy profile on the production production cluster, but then only use against workloads tagged Gold or Platinum.

Use Case Overview

Protect the environment from an incorrect baseline of applications.

Solution Overview

This is a key feature for ManageIQ, better known in the product as Control, the feature provides state management of the enterprise. We will use policy to simply stop a virtual machine from starting if it breaks policy. The policy will be a version of an application in the sample workloads. We will close loop the automation by notifying the help desk, sending an email of the incident and placing the event on the time line.

Use Case Detail - How it works - 1

We are going to show how we can create policies that match the business or IT process rules in the customer and provide cradle to grave automation. The big thing with this use case is its all about the use cases. Problem : If you stare at the product feature you will see only number of options, if you stand back and read the business or IT processes you will have a far better understanding of how ManageIQ will be able to provide a solution.

Use Case Detail - How it works - 2

So the best way to look at Control is to do it with use cases. Here are some to get you thinking. Process - Security do not allow more than one NIC on DMZ based workloads in fear of bridging networks. ManageIQ Solution – Create a policy that checks for hardware changes on virtual machines, if the virtual machine has more than 1 NIC, then notify the helpdesk. Here is another use case…

Use Case Detail - How it works - 3

Process – Windows Domain Controllers are not allowed to be cloned. ManageIQ Solution – Create a policy that is executed when a clone job is launched, check to see if the workload being cloned is a domain controller and cancel the task if it is.

Use Case Detail - How it works - 4

With the two use cases you may have noted a sequence. This is known as ECA.

E – Event C – Condition A – Action

Policies always have an Event and an Action. You can optionally Conditionally process the Action. Lets review one of the previous use cases in respect of this rule.

Use Case Detail - How it works - 5

Process – Security - do not allow more than one NIC on DMZ based workloads in fear of bridging networks. ManageIQ Solution: Event – Launch the policy on event “reconfigure hardware” Condition – Is this VM in a DMZ? And is the NIC count > 1? Action – If conditions are both true then execute an action to email the security team. Better yet, cancel the offending event and email the security team.

Use Case Detail - How it works - 6

The number of Events are finite, in that they are listed by the provider, though there are some that are built-in for ManageIQ too. Here is a sample extract of the list..

Use Case Detail - How it works - 7

The number of Actions are infinite, ManageIQ ships with a good list of out of the box actions, but they can be extended to run anything you can dream of.

Use Case Detail - How it works - 8

An action can be a automate workflow, that could call script to perform any task.

Use Case Detail - How it works - 9

Conditions can be anything you want them to be, here are some examples

Use Case Detail - How it works - 10 The use case that the lab will go through is stopping the start up of a virtual machines that do match a application baseline. In this case its SQL Server v10 (2008). Here are the ECA elements that make up the policy.

Actions

Events

Conditions

Use Case Detail - How it works - 11 Event The event being caught by the policy is VM Power On, this means that whenever a VM is powered on the management system (vSphere) will broadcast to the message bus the event, which ManageIQ will capture and raise the policy. Condition Because the policy is fired on every power on event, a couple of things should be done, in the case of the policy its not doing a scope, that is an option. You could set the scope of the policy to any query you wish, a good example maybe “Windows Machines”. If your filter condition is going to look in a registry for a value then why would you do this for Linux machines…therefore setting the scope is a good best practice. In this Policy we are reviewing, it has a condition that filters based on if the application SQL 2008 is version 10. Here is the actual condition. Return TRUE = If Guest Application found SQL and version is 10

Use Case Detail - How it works - 12 Action We have three actions on this policy, these will happen if the condition returns true. •  Stop the Virtual Machine – Simply send a stop request to the management system to stop the

virtual machine. •  Send Email to Help Desk – Send an email to the helpdesk stating that this policy has hit a true

condition for SQL 10 being found. •  Log to TimeLine – ManageIQ will record this event on the timeline. Here is an example.

Use Case Detail – Who? Interestingly the application of Policy State Management can span a number of consumers. IT Dept – Will want to automate process to ensure that workloads, Hosts and Storage are implemented and configured correctly for operational management. Performance – The Capacity and Performance team may want to use policies to ensure that the environment is configured optimally according to their guidelines. Security – The Security department will most definitely want to utilized policies to enforce their protocols on the environment. Whilst currently the IT Department maybe responsible for implementing all process in the environment, it is advantageous to them to adopt policy state management, this if implemented correctly will allow them the IT dept to meet the requirements of other departments through automation, without error. Giving them more time to expel on other projects.

Use Case Detail – Take Away Key facts The data being used in the policy can be SmartState or Container data. This means 1000’s of attributes can be evaluated and values processed with simple conditional processing or even complex ruby and regular expression support. With ManageIQ attached to the management system and performing State Management, eg Control Policies, you can use ANY way to start a VM, ManageIQ will stop it if it matches the policy. When ManageIQ is there it controls the environment, ManageIQ sits on top of the management system

Touching on SmartState If you heard Jason Frey on the podcast or you have been using ManageIQ for a bit you may know about SmartState. For those that don’t know about SmartState or “fleecing” as we like to call it around here. We will do a brief overview of the functionality and why it matters.

Tags and chaining Tagging is a very powerful thing in ManageIQ. In addition to its power with categorizing data come the way it can be used for control. One way that can be done is in Using tags to signify changes. Some of the events that can be used for policy are tagging events. You could construct an entire chain of events simply using the tagging to show start, middle, stop of a process.

Compliance Compliance policies are specifically designed to secure your environment by checking conditions that you create. These conditions can include the same conditions that you would use in a control policy, and most of the procedures are the same. However, a compliance policy automatically assigns the mark as a compliant action when the virtual machine or host passes all of the conditions. If any of the conditions are not met, then the virtual machine or host is marked as noncompliant

Compliance – Real life examples Anyone hear about HeartBleed? How about ShellShock? Did you see on ManageIQ.org website how quickly there was an example on how to detect these situations? So if you implemented those you can then do things like tagging the workload, they then get automatically marked as non-compliant. What can you do next…… Some of the events that can be picked up are compliance related:

Compliance – Real life examples continued So if it found to be non compliant, and you use something like a tag to to indicate which compliance issue you have found…… You could then send a message not only to the security, but what about sending a message to a configuration management systems like Red Hat Satellite, Chef or Puppet to go and fix the workload. What if you found the situation on non-started workloads? What about systems that at the current time don’t have a NIC assigned so they cannot get on the network. Maybe you tag them as quarantine and you then use a control policy to not allow any workload that is tagged as quarantine to be allowed to start.

Real world As we have shown, you can use some very small pieces of both Policy and Compliance to enhance your operations. This is some of the power of the ManageIQ system, you can create some very small discrete pieces of logic that can chain together to give you a solution greater than the sum of the parts. Each in their own right is easy to create but all together can really help you enhance your operation.

Wrapping it up

Q&A

Contact info Brad Ascar  Red Hat, Inc.  Field Product Manager Cloud Management Products BU  bascar@redhat.com