Securing and Extending Puppet for World Domination

Configuration management tools like Puppet and Chef are becoming essential to online business. They bring order and precision where there was once ~/bin/doit5. Surge's attendees may not have given their allegiance to a particular tool but I'm sure they're on-board with the idea of configuration management. In this session I'll share my experience integrating Puppet into the DevStructure service as part of our user-facing infrastructure. DevStructure offers development environments as a service and uses Puppet as the bridge between our web application and each of our users' servers.

Most DevStructure traffic can't be behind a firewall so security can't be subpar. I'll present the security concerns endemic to configuration management and operating over the Internet in general. I'll then walk through our solutions. Some use common tools like iptables and stunnel; some come from Puppet; some are the result of architectural decisions.

We need our system configurations to react not only to code changes but data changes. I'll walk through Puppet's plugin API and some of its internals. We'll build an example plugin that alters the configuration as directed by a web service. Regardless of your choice of configuration management tool, reacting to data changes is a powerful way to scale your infrastructure.