dustin
/
dustin.web
1
0
Fork 0
Code Pull Requests Releases Activity
dustin.web/content/cv/firemon.md

5.3 KiB
Raw Blame History

+++ title = 'FireMon' date = 2013-12-01 [extra] years = '2013Present' +++

FireMon is a software development company based in Overland Park, KS. As the System Architect, I focus on building a scalable platform for delivering FireMon software to customers that is easy to use. FMOS, the FireMon Operating System, is a mechanism for delivering the FireMon SIP to customers and a collection of tools for deploying and managing the software in a wide array of environments, ranging from a single server to massive multi-node ecosystems.

FMOS: FireMon Operating System

Ansible Configuration Policy

  • Configuration policy for deployment of all FireMon software and third-party dependencies
  • Support for single-server and distributed deployments
  • Automatically compute JVM heap sizes for each process based on available resources
  • Configures Elasticsearch in single-node or clustered mode
  • Configures PostgreSQL with optional replication to standby servers
  • Configures Kernel NFS server and client to share filesystem data between machines
  • Configures FireMon application server processes, including connection and authentication information for PostgreSQL, Elasticsearch
  • Configures strongSwan IPsec/IKEv2 key management daemon for opportunistic encryption of Elasticsearch communication
  • Configures operating system login, password policy, including support for external authentication providers such as LDAP or Kerberos
  • Sets up collectd and Carbon (Graphite data storage engine) to track system performance metrics, optionally replicating metrics data to a FireMon-managed central storage for real-time review
  • Optionally configures rsyslog to send log messages to remote destinations over UDP, TCP, or TCP+TLS
  • Configures tmux to automatically launch at user login

Deployment and Maintenance Tools

  • Python software for configuring and managing machines running FireMon software (fmos command)
  • Critical functionality for application maintenance:
    • Updating OS and software
    • Backing up and restoring data
    • Capturing diagnostic information for technical support
    • Modifying configuration settings
    • Managing server certificates and private keys
  • D-Bus daemon to handle privileged operations
  • Unprivileged command-line interface
  • HTTP API developed with FastAPI

Generation II Platform

  • Based on CentOS 7
  • Full-disk encryption using LUKS
  • Anaconda installer with custom addon for generating machine-specific LUKS master key passphrase
  • Kickstart script for fully-automated installation
  • Used Koji to build RPM packages for first- and third-party software
  • Distribution included Ansible for configuration management
  • systemd units for controlling FireMon application services

Generation III Platform

  • Based on CentOS 7, later CentOS 8 (Stream)
  • Immutable SquashFS root filesystem image
  • Full-disk encryption using LUKS
  • Custom Dracut modules to verify image OpenPGP signature, mount as rootfs, initialize LUKS-encrypted persistent data volume with LVM
  • Custom SELinux policy to confine FireMon software

DevOps Team Lead

  • Deployed and maintained hundreds of internal and cloud systems
    • HashiCorp Vault
    • Elasticsearch
    • Atlassian Bitbucket
    • Jenkins
  • Used PXE for provisioning on-premises virtual machines
  • Ansible configuration management

Internal Tools

FMOS Web Tools

  • Internal application used by software developers and support agents
  • Multi-tiered architecture with multiple nodes at each tier to avoid any single point of failure
    • Application Server Tier: Python 3.6/FastAPI
    • Storage Tier: GlusterFS
    • Index Tier: Elasticsearch
    • Cache Tier: Redis
    • Message Tier: RabbitMQ
    • Worker Tier: Python 3.6/Celery
    • Ingress: HAProxy
    • User Interface: Typescript/Vue+Vuetify

PR Bot

  • Implements a web hook for Atlassian Bitbucket (stash)
  • Reacts to new and updated Pull Requests
  • Automatically checks Git commits and changed code to enforce style guide and other project-specific requirements
  • Adds comments to Pull Requests indicating check results, marks PR as approved or needs work
  • Written in Python, no external dependencies

QEMU VM Log Socket Proxy

  • Component of FMOS End-to-End tests running on-premises using QEMU/libvirt
  • Uses kernel inotify(7) events to detect virtual machine log channel socket files appearing on the VM host
  • Automatically connects to sockets as they appear
  • Receives all data from channel sockets and writes them to a file in the libvirt storage pool
  • Written in Rust

FMOS ISO Writer

  • Internal application used by development and QA teams to write FMOS installer images to USB disks attached to remote physical appliances
  • Accessible via purpose-built, ultra-minimal Linux distribution (Kernel and Busybox only) delivered by network boot/PXE
  • Written in Rust

FireMon-as-a-Service

  • Cloud-hosted FireMon software deployment
  • Deployed backend infrastructure for federated authentication using OpenLDAP, MIT kerberos
  • Followed Infrastructure-as-Code principles using Ansible
  • Developed custom integrated authentication solution for FireMon Security Manager software to provide full-featured account and credential management using Kerberos protocol (Authgate)
  • Python bindings for mit-kerberos using Cython