SlideShare a Scribd company logo

SysAdm: Simplifying FreeBSD Administration

Ken Moore
Ken Moore

SysAdm is a new tool created by TrueOS developers for administering FreeBSD systems. It consists of a SysAdm Server that runs on FreeBSD, a cross-platform SysAdm Client, and a bridge (still in development). The server facilitates interactions between the user and system directly without an internal database. The client allows graphically managing multiple servers with features like package management, firewall configuration, and system monitoring. Both components use encryption and authentication to communicate securely. SysAdm aims to simplify administration tasks without replacing traditional SSH/terminal access.

Related slideshows

Confining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced LinuxConfining the Apache Web Server with Security-Enhanced Linux
Confining the Apache Web Server with Security-Enhanced Linux
 
AD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewAD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick Overview
 
Asp net whitepaper
Asp net whitepaperAsp net whitepaper
Asp net whitepaper
 
1 of 18
Download to read offline
SysAdm:SysAdm: Simplifying FreeBSD AdministrationSimplifying FreeBSD Administration Ken Moore October 8th , 2016 Ohio Linux Fest
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 2/18 IntroductionIntroduction ● New tool created by the TrueOS developers for administrating FreeBSD systems. ● Comes in three parts ● SysAdm Server (FreeBSD only) ● SysAdm Client (Cross-platform) ● SysAdm Bridge (still in development)
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 3/18 SysAdm ServerSysAdm Server ● The server is the brains of the project, and is the “middleware” component used to facilitate the interactions between the user and the system. ● The binary can be run in two modes: a tcp/REST server, or a websocket/JSON server. Both modes can run at the same time on different sockets for multiple access methods. ● The server has no internal database. All information received from the server about the system and all changes to the system are performed directly on the system itself. This allows it to complement traditional SSH access/management of the system rather than work against it.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 4/18 SysAdm ServerSysAdm Server Auth/Blacklist Internal systems (SSL Keys, Proc Dispatcher) External Systems (Modular Design: easy to add or update) Send out replies Some Current “classes”: ● User Manager (pw) ● Service Manager (service) ● Firewall Manager (ipfw) ● IOCage Jails (iocage) ● IOHyve VM's (iohyve) ● Data Backup (lpreserver) ● Update Manager (pc-updatemanager) ● Package Manager (pkg) Full List available at: http://api.sysadm.us
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 5/18 SysAdm Server: SecuritySysAdm Server: Security ● Latest TLS transport encryption (https or wss) ● Authentication via username/password OR external SSL public/private key pair ● Strict connection timeouts and blacklisting ● Priviledge separation between full/limited access to subsystems (wheel/operator groups) ● Ability to disable user/pass auth system, and allow pre-shared SSL key access only.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 6/18 SysAdm Server: Websocket vs RESTSysAdm Server: Websocket vs REST WebSocket ● Long-lived connection ● Pure JSON input/output ● Auth once with timeout or disconnection from inactivity. ● Spontaneous “events” can be obtained from the system for notifications or status updates REST ● Single-request connection ● Mixture of REST w/ JSON ● Auth with user/pass only, on every request
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 7/18 SysAdm Server: Websocket vs RESTSysAdm Server: Websocket vs REST Websocket ● API Example Call: { “namespace” : “rpc”, “name”:”query”, “id”:”UniqueID”, “args”:{} } REST ● API Example Call: GET rpc/query <version> Authorization:<base64> {<JSON args>}
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 8/18 SysAdm ClientSysAdm Client ● Graphical client written purely in Qt5 ● Fully cross-platform (FreeBSD, Windows, and OSX builds are automated right now) ● Multi-System Management: ● Setup connections to multiple SysAdm servers/systems ● Keep informed with regular system health checks ● Arrange logical “groups” of systems for ease of use in large deployments (Group management operations coming soon!) ● Localhost connections do not require internet access (TrueOS)
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 9/18 SysAdm Client: SecuritySysAdm Client: Security ��� Generate a unique SSL public/private key pair for the client. ● Uses secure websockets to talk to the servers (user/password required for first-time connection – SSL certs automatically registered and used after that). ● All client SSL certificates and keys are locked on the client system within an encrypted file. User-defined password required to unlock that file and initiate server connections. ● Export/Import your client settings across various client and operating systems while still fully-encrypted.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 10/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Connection Manager ● Used to create client SSL keys and setup connections to servers. ● Tray Interface ● See messages and system information at a glance.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 11/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Control Panel (main page) ● This lists all the various systems that the user has access to on the system. ● Many options (especially in the “utilities” category), will not appear unless the relevant utility is installed on the server.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 12/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Package Manager (AppCafe) ● This is an interface to the pkg utility and database on the server. ● It allows the user to browse and search for packages, performs updates, [un]install packages, and check for security issues with the installed packages.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 13/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Task Manager ● Basically a visual version of top on FreeBSD (without running top) ● View CPU usage and temperature per-core, overall memory usage, and individual process statistics (with the ability to kill processes as needed)
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 14/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Update Manager (pc-updatemanager) ● Check, View, and Manage updates on a TrueOS system. ● Uses ZFS w/ boot environments for safely performing changes without touching the live system.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 15/18 SysAdm Bridge (SysAdm Bridge (experimentalexperimental)) ● What about servers with dynamic addressing? ● What about servers behind a corporate firewall? ● The SysAdm bridge is an additional type of server designed to be run on a small, statically-assigned, publicly available system (such as a small VM in the cloud). Both servers and clients may be configured to “announce” themselves on a bridge, and make connections from there.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 16/18 SysAdm Bridge: SecuritySysAdm Bridge: Security ● The bridge is designed as a completely untrusted relay. Servers and clients use a completely separate SSL certificate when talking to a bridge to ensure the “real” one is never used for connecting to an unknown system. ● After connecting to a bridge, the server/client submit the MD5 of their real SSL certificate, and the bridge responds with the ID and location of the systems who listed that MD5 within their compatible certificate list.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 17/18 ConclusionsConclusions ● SysAdm is a new framework designed to assist in the administration of any number of FreeBSD/TrueOS systems. ● It does not replace years of “muscle memory” from system administrators who use SSH/terminal access for everything. Rather it is designed to come alongside and provide an alternate/easier way to perform many of those routine tasks. ● SysAdm is already used for all TrueOS systems (desktops and servers), and is constantly being improved with new API classes and corresponding client pages.
October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 18/18 Questions?Questions? ● Links for additional information https://api.sysadm.us (SysAdm API Reference) https://www.trueos.org (TrueOS Website)

More Related Content

SysAdm: Simplifying FreeBSD Administration

  • 1. SysAdm:SysAdm: Simplifying FreeBSD AdministrationSimplifying FreeBSD Administration Ken Moore October 8th , 2016 Ohio Linux Fest
  • 2. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 2/18 IntroductionIntroduction ● New tool created by the TrueOS developers for administrating FreeBSD systems. ● Comes in three parts ● SysAdm Server (FreeBSD only) ● SysAdm Client (Cross-platform) ● SysAdm Bridge (still in development)
  • 3. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 3/18 SysAdm ServerSysAdm Server ● The server is the brains of the project, and is the “middleware” component used to facilitate the interactions between the user and the system. ● The binary can be run in two modes: a tcp/REST server, or a websocket/JSON server. Both modes can run at the same time on different sockets for multiple access methods. ● The server has no internal database. All information received from the server about the system and all changes to the system are performed directly on the system itself. This allows it to complement traditional SSH access/management of the system rather than work against it.
  • 4. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 4/18 SysAdm ServerSysAdm Server Auth/Blacklist Internal systems (SSL Keys, Proc Dispatcher) External Systems (Modular Design: easy to add or update) Send out replies Some Current “classes”: ● User Manager (pw) ● Service Manager (service) ● Firewall Manager (ipfw) ● IOCage Jails (iocage) ● IOHyve VM's (iohyve) ● Data Backup (lpreserver) ● Update Manager (pc-updatemanager) ● Package Manager (pkg) Full List available at: http://api.sysadm.us
  • 5. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 5/18 SysAdm Server: SecuritySysAdm Server: Security ● Latest TLS transport encryption (https or wss) ● Authentication via username/password OR external SSL public/private key pair ● Strict connection timeouts and blacklisting ● Priviledge separation between full/limited access to subsystems (wheel/operator groups) ● Ability to disable user/pass auth system, and allow pre-shared SSL key access only.
  • 6. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 6/18 SysAdm Server: Websocket vs RESTSysAdm Server: Websocket vs REST WebSocket ● Long-lived connection ● Pure JSON input/output ● Auth once with timeout or disconnection from inactivity. ● Spontaneous “events” can be obtained from the system for notifications or status updates REST ● Single-request connection ● Mixture of REST w/ JSON ● Auth with user/pass only, on every request
  • 7. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 7/18 SysAdm Server: Websocket vs RESTSysAdm Server: Websocket vs REST Websocket ● API Example Call: { “namespace” : “rpc”, “name”:”query”, “id”:”UniqueID”, “args”:{} } REST ● API Example Call: GET rpc/query <version> Authorization:<base64> {<JSON args>}
  • 8. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 8/18 SysAdm ClientSysAdm Client ● Graphical client written purely in Qt5 ● Fully cross-platform (FreeBSD, Windows, and OSX builds are automated right now) ● Multi-System Management: ● Setup connections to multiple SysAdm servers/systems ● Keep informed with regular system health checks ● Arrange logical “groups” of systems for ease of use in large deployments (Group management operations coming soon!) ● Localhost connections do not require internet access (TrueOS)
  • 9. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 9/18 SysAdm Client: SecuritySysAdm Client: Security ● Generate a unique SSL public/private key pair for the client. ● Uses secure websockets to talk to the servers (user/password required for first-time connection – SSL certs automatically registered and used after that). ● All client SSL certificates and keys are locked on the client system within an encrypted file. User-defined password required to unlock that file and initiate server connections. ● Export/Import your client settings across various client and operating systems while still fully-encrypted.
  • 10. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 10/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Connection Manager ● Used to create client SSL keys and setup connections to servers. ● Tray Interface ● See messages and system information at a glance.
  • 11. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 11/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Control Panel (main page) ● This lists all the various systems that the user has access to on the system. ● Many options (especially in the “utilities” category), will not appear unless the relevant utility is installed on the server.
  • 12. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 12/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Package Manager (AppCafe) ● This is an interface to the pkg utility and database on the server. ● It allows the user to browse and search for packages, performs updates, [un]install packages, and check for security issues with the installed packages.
  • 13. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 13/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Task Manager ● Basically a visual version of top on FreeBSD (without running top) ● View CPU usage and temperature per-core, overall memory usage, and individual process statistics (with the ability to kill processes as needed)
  • 14. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 14/18 SysAdm Client: ExamplesSysAdm Client: Examples ● Update Manager (pc-updatemanager) ● Check, View, and Manage updates on a TrueOS system. ● Uses ZFS w/ boot environments for safely performing changes without touching the live system.
  • 15. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 15/18 SysAdm Bridge (SysAdm Bridge (experimentalexperimental)) ● What about servers with dynamic addressing? ● What about servers behind a corporate firewall? ● The SysAdm bridge is an additional type of server designed to be run on a small, statically-assigned, publicly available system (such as a small VM in the cloud). Both servers and clients may be configured to “announce” themselves on a bridge, and make connections from there.
  • 16. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 16/18 SysAdm Bridge: SecuritySysAdm Bridge: Security ● The bridge is designed as a completely untrusted relay. Servers and clients use a completely separate SSL certificate when talking to a bridge to ensure the “real” one is never used for connecting to an unknown system. ● After connecting to a bridge, the server/client submit the MD5 of their real SSL certificate, and the bridge responds with the ID and location of the systems who listed that MD5 within their compatible certificate list.
  • 17. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 17/18 ConclusionsConclusions ● SysAdm is a new framework designed to assist in the administration of any number of FreeBSD/TrueOS systems. ● It does not replace years of “muscle memory” from system administrators who use SSH/terminal access for everything. Rather it is designed to come alongside and provide an alternate/easier way to perform many of those routine tasks. ● SysAdm is already used for all TrueOS systems (desktops and servers), and is constantly being improved with new API classes and corresponding client pages.
  • 18. October 8th , 2016 SysAdm: Simplifying FreeBSD Administration Page 18/18 Questions?Questions? ● Links for additional information https://api.sysadm.us (SysAdm API Reference) https://www.trueos.org (TrueOS Website)