This weekend I am attending XML London at University College London, a 2 day conference on XML, Open Data, Digital Publishing, and Data Management. I am presenting a paper on XSpec. The paper is available here and the slides of my presentation are available here.
Serverless is gaining attention as the next big thing in the DevOps space after containers. Developers are excited because they don’t have to worry about servers any more; Ops may be sceptical and slightly worried to hear about a world without servers (and sys admin maintaining them). Can these two worlds co-exist? Can serverless just be another tool in the DevOps toolkit?
I recently implemented a real use case at work where we took advantage of an event-driven workflow to trigger Jenkins jobs originally created to be executed manually or on a schedule. The workflow is as follows:
1. New data is uploaded to an S3 bucket
2. The S3 event calls a lambda function that triggers a Jenkins job via the Jenkins API
3. The Jenkins job validates the data according to various criteria
4. If the job passes, the data is upload on an S3 bucket and a successful message is sent to a Slack channel
5. If the job fails, a message with a link to the failed job is sent to a Slack channel
Let’s start by creating a new user with the correct permissions in Jenkins. This allows to restrict what the lambda function can do in Jenkins.
In Manage Jenkins -> Manage Users -> Create User I create a user called lambda:
In Manage Jenkins -> Configure Global Security -> Authorization -> Matrix-based Security add the user lambda to User/group to add and set the permissions as in the matrix below:
This is a minimum set up and allows the lambda user to build jobs. According to your security policies, you may want to further restrict the permissions of the lambda user in order to run only some specific jobs (you may need role based authentication for setting this up).
Now let’s move to AWS and set up a IAM Role for the lambda function. Head to IAM -> Roles and create a new roles with the following policies (my role name is digiteum-file-transfer , sensitive information is obfuscated for security reasons):
This role allows to execute lambda functions, access S3 buckets as well as the Virtual Private Cloud (VPC).
I create an empty S3 bucket using the wizard configuration in S3 and name it gadictionaries-leap-dev-digiteum. This is the bucket that is going to trigger the lambda function.
Finally, let’s write the lambda function. Go to Lambda -> Functions -> Create a Lambda Function. Select Python 2.7 (read Limitations to see why I’m not using Python 3) as runtime environment and select a blank function.
In Configure Trigger, set up the trigger from S3 to Lambda, select the S3 bucket you created above (my S3 bucket is named gadictionaries-leap-dev-digiteum ), select the event type to occur in S3 (my trigger is set to respond to any new file drop in the bucket) and optionally select prefixes or suffixes for directories and file names (I only want the trigger to occur on XML files). Here is my trigger configuration:
In Configure Function, choose a name for your function (mine is
file_transfer ) and check out the following Python code before uploading it:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
from __future__ import print_function import json import urllib import boto3 import jenkins import os print('Loading lambda function') s3 = boto3.client('s3') # TODO: private IP of the EC2 instance where Jenkins is deployed, public IP won't work jenkins_url = 'http://123.45.56.78:8080/' # TODO: these environment variables should be encrypted in Lambda username = os.environ['username'] password = os.environ['password'] def lambda_handler(event, context): # Get the S3 object and its filename from the S3 event bucket = event['Records'][0]['s3']['bucket']['name'] filename = urllib.unquote_plus(event['Records'][0]['s3']['object']['key'].encode('utf8')) try: # Connect to Jenkins and build a job server = jenkins.Jenkins(jenkins_url, username=username, password=password) server.build_job('Pipeline/Digiteum_File_Transfer', {'filename': filename}) return 'Job Digiteum File Transfer started on Jenkins' except Exception as e: print(e) print('Cannot connect to Jenkins server or run build job') raise e |
Note the following:
As an example, here is the zip file to upload in Configure Function. It contains the lambda function and all the Python modules needed, including the python-jenkins module. Make sure you edit the private IP address of your Jenkins instance in line 12. If you need to install additional Python modules, you can follow these instructions.
Here is how my Configure Function looks like:
Note the name (it should read
file_transfer instead of
file_transfe ), the handler (as in the Python code above), and the role (as created in IAM). Note also that the username and the password of the Jenkins user lambda are provided as environment variables (ideally, you should encrypt these values by using the option Enable encryption helpers).
Once you’ve done the basic configuration, click on Advanced Settings. In here you need to select the VPC, subnet, and security group of the EC2 instance where Jenkins is running (all these details about the instance are in EC2 -> Instances). In fact, the lambda function needs to run in the same VPC as Jenkins otherwise it cannot connect to Jenkins. For example, here is how my advanced settings look like (sensitive information is obfuscated):
Finally, review your settings and click on Create Function.
Once you created a lambda function, configure a test event to make sure the lambda function behaves as intended. Go to Actions -> Configure test event and select S3 Put to simulate a data upload in the S3 bucket. You need to replace the bucket name (in this example gadictionaries-leap-dev-digiteum) and the name of an object in that bucket (in this example I uploaded a file in the bucket and called it test.xml). Here is a test example to adapt:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
{ "Records": [ { "eventVersion": "2.0", "eventTime": "1970-01-01T00:00:00.000Z", "requestParameters": { "sourceIPAddress": "127.0.0.1" }, "s3": { "configurationId": "testConfigRule", "object": { "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901", "key": "test.xml", "size": 1024 }, "bucket": { "arn": "arn:aws:s3:::gadictionaries-leap-dev-digiteum", "name": "gadictionaries-leap-dev-digiteum", "ownerIdentity": { "principalId": "EXAMPLE" } }, "s3SchemaVersion": "1.0" }, "responseElements": { "x-amz-id-2": "EXAMPLE123/5678abcdefghijklambdaisawesome/mnopqrstuvwxyzABCDEFGH", "x-amz-request-id": "EXAMPLE123456789" }, "awsRegion": "us-east-1", "eventName": "ObjectCreated:Put", "userIdentity": { "principalId": "EXAMPLE" }, "eventSource": "aws:s3" } ] } |
Click on Save and Test and you should see the lambda function in action. Go to Jenkins and check that the job has been executed by user lambda . If it doesn’t work, have a look at the logging in AWS Lambda to debug what went wrong.
Finally, I set up a Slack integration in Jenkins so that every time the Jenkins job is executed, a notification is sent to a Slack channel. This also allows several people to get notified about a new data delivery.
First, install and configure the Slack plugin in Jenkins following the instructions on the GitHub page. The main configuration is done in Manage Jenkins -> Configure System -> Global Slack Notifier Settings. For example, this is my configuration:
Note that:
You typically want to add a notification to a specific Slack channel in your Jenkins job as a post-build action in order to notify the result of a job. In Jenkins go to your job’s configuration, add Post-build Actions -> Slack Notifications and use settings similar to these:
This sends a notification to the Slack channel (either the default one set in Global Slack Notifier Settings or a new one set here in Project Channel) every time a job passes or fails. When a notification is sent to Slack, I will look like this:
Now you can keep both technical and non-technical users informed without having to create specific accounts on Jenkins or AWS or spamming users with emails.
I ran into two problems that I was not yet been able to solve due to lack of time. I want to flag them as they can improve the lambda function and make it more maintainable. If anyone want to help me to fix this, please send me your comments.
|
1 |
DECRYPTED = boto3.client('kms').decrypt(CiphertextBlob=b64decode(ENCRYPTED))['Plaintext'] |
Integrating AWS Lambda and Jenkins requires a little bit of configuration but I hope this tutorial may help other people to set it up. If the integration needs to be done the other way round (i.e. trigger a lambda function from a Jenkins job), check out the AWS Lambda Plugin.
I believe integrating AWS Lambda (or any FaaS) with Jenkins (or any CI/CD server) is particularly suited for the following uses cases:
XSpec is an open source unit testing and behaviour driven development framework for XML technologies. I recently wrote an article on XSpec for XML.com that describes what XSpec is and provides a tutorial on how to write XSpec unit tests for XSLT.
XSpec is a unit test and behaviour driven development (BDD) framework for XSLT and XQuery. I picked up this open source project at work for testing our XSLT and I’m now actively contributing to it together with the XSpec community.
XSpec v0.5.0 has just been released and is the new XSpec release after 5 years. It includes new features like XSLT 3 support, JUnit report for integration with Continuous Integration tools, support for Saxon-B, etc. It also fixes long standing regression bugs as well as integration bugs in the code coverage, provides feature parity between the shell and batch scripts, integrates an automated test suite, and updates the documentation in the wiki. More information on the official release notes.
Git encourages branching but sometimes you need to do a clean up and delete merged or orphaned branches from your local and remote repositories. Here is the procedure from the command line.
To delete a branch locally:
|
1 |
git branch -d branchname |
You may get an error like this one if the branch has not been merged yet:
|
1 2 |
error: The branch 'branchname' is not fully merged. If you are sure you want to delete it, run 'git branch -D branchname' |
This is a good reminder in case you are deleting something you should not be deleting.
To delete a branch remotely (e.g. on a GitHub repository):
|
1 |
git push origin --delete branchname |
I recently added an SSL certificate to this website. I used Let’s Encrypt which is an awesome initiative to increase the use of HTTPS in websites by making SSL certificates free and easy to install.
My web hosting provider offers Let’s Encrypt certificates via cPanel so installing one for my website was as easy as clicking few buttons. If you are not that lucky, Let’s Encrypt provides instructions to install certificates via the shell as well as a list of hosting providers supporting Let’s Encrypt.
Once you have your SSL certificate installed on your server, you may want to force HTTPS so that any request for HTTP pages will automatically be redirected to HTTPS.
The Apache web server provides the .htaccess file to store Apache configuration on a per-directory basis. For example, if your website is stored under /var/www/html/mysite and you’re using Apache, you can create the following .htaccess file in that directory:
|
1 2 3 |
RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://sandrocirulli.net/$1 [R,L] |
The third line is the rewrite rule that forces HTTPS for any request made to the web server. Note that you need to have the mod_rewrite module installed on Apache to add rewrite rules for URL redirection.
Make sure that the URL in the rewrite rule is the one used in the SSL certificate. I initially put www.sandrocirulli.net in the rewrite rule even though I register the SSL certificate for sandrocirulli.net and all its sub-domains (including www.sandrocirulli.net ) and got nasty security warnings displaying on the browser. You can easily check the SSL certificate with any browser by clicking on the green padlock near the URL and select View Certificate or the like:
If the padlock near the URL displays a warning, click on it and see what’s the problem. I initially encountered issues with mixed content. This occurred because I had links to images on the websites with HTTP instead of HTTPS. All the major browsers allow you to see where the error occurs, just click on the warning and then Details or the like. Changing these links to HTTPS solved the issue with mixed content.
This week I’m giving a talk about Continuous Security with Jenkins, Docker Bench, and Amazon Inspector at CD Summit & Jenkins Days in Amsterdam and in Berlin. CD Summit & Jenkins Days are a series of conferences in the US and in Europe focusing on Continuous Integration (CI) and Continuous Delivery (CD).
This is the abstract of my talk:
Security testing is often left out from CI/CD pipelines and perceived as an ad hoc and one-off audit performed by external security experts. However, the integration of security testing into a DevOps workflow (aka DevSecOps) allows to achieve security by design and to continuously assess software vulnerabilities within a CI/CD pipeline. But how does security fit in the world of cloud and microservices?
In this talk I show how to leverage tools like Jenkins, Docker Bench , and Amazon Inspector to perform security testing at the operating system and container levels in a cloud environment and how to integrate them into a typical CI/CD workflow. I discuss how these tools can help assessing the risk of security vulnerabilities during development, improving security and compliance, and lower support costs in the long term.
I also present two demos showing how to integrate Docker Bench with Jenkins and how to run Amazon Inspector from Jenkins.
The slides of my talk are available here.
Amazon Inspector is an automated security assessment service on Amazon Web Services (AWS). It allows to identify security vulnerabilities at operating system and network levels by scanning the host against a knowledge base of security best practices and rules.
I recently integrated Amazon Inspector to run in a Jenkins job so that security testing can be automated and performed prior to deployment to production.
The first thing to do is to set up the assessment target and assessment template in Amazon Inspector. An assessment target allows to select the EC2 instances via their tags in order to include them in the security scan. Here is an example of my assessment target for the EC2 instances tagged as gadictionaries-leap-ogl-stage-v360 :
The assessment template allows to specify the type of scan and its duration and is linked to the assessment target set up above. Here is an example of my assessment template (ARN is masked for security reasons). I selected the Common Vulnerabilities and Exposures (CVE) rule package scanning for 15 minutes (one hour is the recommended duration time to reliable results).
We now move to the Jenkins configuration in order to run the security scan via a Jenkins job instead of using the AWS console.
The first thing to do is to make sure that openssh is installed on the instance where Jenkins is running and on the host you want to check. For example, on Ubuntu you can install openssh with:
|
1 |
sudo apt-get install openssh-server |
Then install the SSH Agent plugin in Jenkins. This will provide Jenkins with SSH credentials to automatically login into a machine on the cloud. Add the credentials in Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add credentials -> SSH Username with private key. This is an example of my credentials for user jenkins (private key details are obfuscated):
Then create a Jenkins job and select the SSH agent credentials for user jenkins in Build Environment:
This will allow Jenkins to ssh into the machine with the private key stored securely (make sure you only grant permission to configure Jenkins to administrators otherwise your private keys are not safe).
I like to parameterize my builds so that I can run Amazon Inspector on a specific EC2 instance within a given Elastic Beanstalk stack:
Then we set up build and post-build actions. The build executes a shell script invoke_aws_inspector.sh pulled from the version control system. The post-build action provides the location of the JUnit file.
The shell script invoke_aws_inspector.sh looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# check parameters expected from Jenkins job if [[ -n "$HOSTNAME" ]] && [[ -n "$STACK" ]]; then # install and start AWS Inspector agent on host ssh -T -o StrictHostKeyChecking=no ec2-user@$HOSTNAME << 'EOF' curl -O https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install sudo bash install sudo /etc/init.d/awsagent start sudo /opt/aws/awsagent/bin/awsagent status exit EOF # run AWS Inspector from localhost export AWS_DEFAULT_REGION=us-east-1 python execute_aws_inspector.py # stop and uninstall AWS Inspector agent on host ssh -T -o StrictHostKeyChecking=no ec2-user@$HOSTNAME << 'EOF' sudo /etc/init.d/awsagent stop && sudo yum remove -y AwsAgent EOF else echo "ERROR! Parameters HOSTNAME and STACK required from Jenkins job security_checks_aws_inspector" exit 1 fi |
The shell script works as follows:
The Python script execute_aws_inspector.py uses the Boto3 library for interacting with AWS services. The script looks like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
import boto3 import os, sys import datetime, time import xml.etree.cElementTree as etree # initialize boto library for AWS Inspector client = boto3.client('inspector') # set assessment template for stack stack = os.environ['STACK'] if stack == 'gadictionaries-leap-ogl-stage-v360': assessmentTemplate = 'arn:aws:inspector:us-east-1:XXXXXXXXXXXXX:target/XXXXXXXXXXXXX/template/XXXXXXXXXXXXX' elif stack == 'gadictionaries-leap-odenoad-stage-v350': assessmentTemplate = 'arn:aws:inspector:us-east-1:XXXXXXXXXXXXX:target/XXXXXXXXXXXXX/template/XXXXXXXXXXXXX' else: sys.exit('You must provide a supported stack name (either gadictionaries-leap-ogl-stage-v360 or gadictionaries-leap-odenoad-stage-v350') # start assessment run assessment = client.start_assessment_run( assessmentTemplateArn = assessmentTemplate, assessmentRunName = datetime.datetime.now().isoformat() ) # wait for the assessment to finish time.sleep(1020) # list findings findings = client.list_findings( assessmentRunArns = [ assessment['assessmentRunArn'], ], filter={ 'severities': [ 'High','Medium', ], }, maxResults=100 ) # describe findings and output to JUnit testsuites = etree.Element("testsuites") testsuite = etree.SubElement(testsuites, "testsuite", name="Common Vulnerabilities and Exposures-1.1") for item in findings['findingArns']: description = client.describe_findings( findingArns=[ item, ], locale='EN_US' ) for item in description['findings']: testcase = etree.SubElement(testsuite, "testcase", name=item['severity'] + ' - ' + item['title']) etree.SubElement(testcase, "error", message=item['description']).text = item['recommendation'] tree = etree.ElementTree(testsuites) tree.write("inspector-junit-report.xml") |
The Python script works as follows:
Finally, here is an example of Test Result Trend and JUnit test results showing security vulnerabilities on an EC2 instance running unpatched packages:
Happy security testing with Jenkins and Amazon Inspector!
This week I am attending XVII Euralex International Congress, a lexicographic conference held between 6th and 10th September 2016 in Tbilisi, Georgia. The theme of this edition of Euralex is Lexicography and Linguistic Diversity.
On Wednesday 7th September I am giving a software presentation on API-powered dictionaries covering the work my colleagues and I have recently been doing on the Oxford Global Languages (OGL) initiative and the Oxford Dictionaries API. Here are the slides of my talk and the paper included in the conference proceedings.
Docker Bench is an open source tool for automatically validating the configuration of a host running Docker containers. The tool has been written among others by Diogo Mónica, security lead at Docker, and performs security checks at the container level following Docker’s CIS Benchmark recommendations.
As you would expect, the easiest way to run Docker Bench is via a Docker container. Just make sure you have Docker 1.10 or better, download the Docker image:
|
1 |
docker pull docker/docker-bench-security |
and run the Docker container as follows:
|
1 2 3 4 5 6 |
docker run -it --net host --pid host --cap-add audit_control \ -v /var/lib:/var/lib \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd \ -v /etc:/etc --label docker_bench_security \ docker/docker-bench-security |
This will automatically generate some output as in the animated gif above with an assessment of possible Docker security issues.
I recently combined Docker Bench with Jenkins in order to integrate security testing into a typical DevOps workflow on the cloud – call it DevSecOps if you like buzzwords… This requires a little bit of Jenkins configuration but it’s not too difficult to follow.
The first thing to do is to make sure that openssh is installed on the instance where Jenkins is running and on the host you want to check. For example on Ubuntu you can install openssh with:
|
1 |
sudo apt-get install openssh-server |
Then install the SSH Agent plugin in Jenkins. This will provide Jenkins with SSH credentials to automatically login into a machine on the cloud. Add the credentials in Jenkins -> Credentials -> System -> Global credentials (unrestricted) -> Add credentials -> SSH Username with private key. This is an example of my credentials for user jenkins (private key details are obfuscated):
Then create a Jenkins job and select the SSH agent credentials for user jenkins in Build Environment:
This will allow Jenkins to SSH into the machine with the private key stored securely (make sure you only grant permission to configure Jenkins to administrators otherwise your private keys are not safe).
I like to parameterize my builds so that I can run Docker Bench on any host reachable with the private key:
Finally, select Execute shell in the build and paste this shell script (you may want to put it under version control and retrieve it from there via Jenkins):
|
1 2 3 4 5 6 |
ssh -T -o StrictHostKeyChecking=no ec2-user@$HOSTNAME << 'EOF' sudo docker pull docker/docker-bench-security && \ sudo docker run --net host --pid host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker_bench_security docker/docker-bench-security && \ sudo docker rm $(sudo docker ps -aq -f status=exited) && \ sudo docker rmi docker/docker-bench-security EOF |
It works likes this:
The Jenkins console output shows the result of running Docker Bench on a specific host. Now you have to assess the results as you may see several warnings and they may just be false positives. For example, this warning may be acceptable for you:
|
1 2 |
[1;31m[WARN][0m 1.5 - Keep Docker up to date [1;31m[WARN][0m * Using 1.11.1, when 1.12.0 is current as of 2016-07-28 |
This means you are not running the latest version of Docker. This may not be an issue (unless Docker released a security release) especially if your Linux distribution hasn’t got the latest version of Docker available in its repositories.
In my case this warning was a false positive:
|
1 |
[1;31m[WARN][0m 2.1 - Restrict network traffic between containers |
In fact, I need several containers to communicate between them so that restriction does not apply to my use case.
This warning should be taken much more seriously:
|
1 2 |
[1;31m[WARN][0m 4.1 - Create a user for the container [1;31m[WARN][0m * Running as root: container-name-bbf386c0b301 |
This means you are running a container as root. This is unsecure as if a nasty intruder manages to get inside the containers s/he can run any command in it. Basically, it’s like running a Linux system as root which is a bad security practice.
Once you have assessed your warnings, you may want to filter out the false positives. For example, you can use the Post build task plugin to make the build fail if the build log output contains a warning that you assessed as a security risk. You can use a regular expression to match the pattern identified above.
It would be good to get the Docker Bench output in JUnit format so that Jenkins can understand it natively but this option is currently not implemented in Docker Bench.
Happy security testing with Jenkins and Docker Bench!