2016-10-29: Desired State and Maneuverability
I want to talk about my recent advances on infrastructure as code below. But first, did you know about the garden of the Ferme de Budé? I was just strolling around Petit-Saconnex and decided that after some years of being around I may actually explore what’s there. Another turn to quickly escape the main roads, at the least. I haven’t been there during market time, but I just might next time.
Ok, now to the main topic: First of all, excuse the militant title, it must have rubbed off from the Lean Enterprise book I’m just reading — it’s strange to think about the work in these terms, as usually the military implies a lot of suffering and terror. But anyway, I’ll suspend my criticism of the form for now, I mostly wanted to get some new ideas.
One of the things I have been focusing on at work is to make all the infrastructure choices for our enviroments explicit, which meant a lot of PowerShell, and, most recently Chef.
Today’s achievement was to get some recipes to my Mac in the cloud (tried out macincloud).
The steps I followed were activating public key authenticated ssh connections, changing to not prompt for the password during sudo, setting up an SSH tunnel to VNC for verification, bringing up a chef server and then bootstrap my Mac node with something like
knife bootstrap myhost.macincloud.com --ssh-user admin \ --sudo --identity-file ../ssh_keys/macincloud \ --node-name node1-macincloud --run-list 'recipe[mac_readme]'
Now the next, harder part, will be to figure out whether the prerequisites to one of our cool products we did at work (sorry, can’t go into more details about what it does) can actually be installed this way. It would be cool because it would mean we can actually scale out and get away from a model that involves one guy knowing all the quirks, walking around with a USB key. We’ll see.
Oh, of course if you have some experience with provisioning macs, do not hesitate to talk to me.
The Windows Servers
Of course on the Microsoft side, there’s a whole toolchain in the works around PowerShell DSC. One thing that bothered me until now was that when writing these resources, I had to execute some of them with domain accounts. There is, as always, a plain-text-password option that’s easy to set up, but that would have been bad for my self-esteem.
So I ventured into securing our MOF files, which got a lot easier once I actually understood the separation of environmental from structural configuration, something I didn’ even think of before (of course parametrizing the calls was obvious, but having an actual second file for it with all the convention support didn’t occur to me).
Now that’s achieved. I have a repeatable way to modify my MOFs, typing the necessary credentials and encrypting them with the correct public keys, which means I can check in what actually matters, the configuration and the environment data without credentials in source control and not worry about it anymore.
This whole experience taught me again that the actual time spent focusing on articles, listening to talks and podcasts is really required to make smart choices here. I would say that talking to my colleagues on the infrastructure side helped as well, but I’m not yet at the stage where this would be natural.
There are many interesting non-tech side projects where I would like to apply this approach to as well, but it’s harder to get motivated (even though the increased options after having learnt about a subject should be an obvious win). Who knows, maybe it’ll work out.