One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

Similar documents
One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co

More Containers, More Problems

CONTAINERS AND MICROSERVICES WITH CONTRAIL

TEN LAYERS OF CONTAINER SECURITY

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

[Docker] Containerization

Think Small to Scale Big

A Greybeard's Worst Nightmare

Docker and Oracle Everything You Wanted To Know

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Introduction to Kubernetes

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

YOUR APPLICATION S JOURNEY TO THE CLOUD. What s the best way to get cloud native capabilities for your existing applications?

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Kubernetes 101. Doug Davis, STSM September, 2017

利用 Mesos 打造高延展性 Container 環境. Frank, Microsoft MTC

Logging, Monitoring, and Alerting

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Technical Brief Distributed Trusted Computing

Container-Native Storage

An Introduction to Kubernetes

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

VMWARE PIVOTAL CONTAINER SERVICE

Oracle Container Natve Applicaton Development Platorm. Edgars Ruņģis Cloud Soluton Architect

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Two years of on Kubernetes

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

Kuber-what?! Learn about Kubernetes

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

How to Put Your AF Server into a Container

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

UP! TO DOCKER PAAS. Ming

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

Implementing the Twelve-Factor App Methodology for Developing Cloud- Native Applications

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

Kubernetes Integration Guide

Container Deployment and Security Best Practices

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Contrail Networking: Evolve your cloud with Containers

The 12-Factor app and IBM Bluemix IBM Corporation

Welcome to Docker Birthday # Docker Birthday events (list available at Docker.Party) RSVPs 600 mentors Big thanks to our global partners:

@joerg_schad Nightmares of a Container Orchestration System

Important DevOps Technologies (3+2+3days) for Deployment

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

OpenShift on Public & Private Clouds: AWS, Azure, Google, OpenStack

São Paulo. August,

Introduction to virtualisation, hardware, cloud, containers, unikernels, microkernels. and everything else

Container Orchestration on Amazon Web Services. Arun

Cloud Native Java with Kubernetes

Overview of Container Management

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Continuous delivery while migrating to Kubernetes

RECap: RunEscape Capsule for On-demand Managed Service Delivery in the Cloud

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Azure DevOps. Randy Pagels Intelligent Cloud Technical Specialist Great Lakes Region

Red Hat Roadmap for Containers and DevOps

Security oriented OpenShift within regulated environments

TEN LAYERS OF CONTAINER SECURITY

Running MarkLogic in Containers (Both Docker and Kubernetes)

KUBERNETES IN A GROWN ENVIRONMENT AND INTEGRATION INTO CONTINUOUS DELIVERY

The four forces of Cloud Native

Basic Concepts of the Energy Lab 2.0 Co-Simulation Platform

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Containers & Microservices For Realists. Karthik

Code: Slides:

Using DC/OS for Continuous Delivery

Knative: Building serverless platforms on top of Kubernetes

Continuous Integration and Deployment (CI/CD)

Multi-Arch Layered Image Build System

ovirt and Docker Integration

Kubernetes: Integration vs Native Solution

Securing Microservices Containerized Security in AWS

LINUX CONTAINERS. Where Enterprise Meets Embedded Operating Environments WHEN IT MATTERS, IT RUNS ON WIND RIVER

Docker 101 Workshop. Eric Smalling - Solution Architect, Docker

Development and Operations: Continuous Delivery in Practice

Deploying Applications on DC/OS

API, DEVOPS & MICROSERVICES

Building a Data-Friendly Platform for a Data- Driven Future

Sunil Shah SECURE, FLEXIBLE CONTINUOUS DELIVERY PIPELINES WITH GITLAB AND DC/OS Mesosphere, Inc. All Rights Reserved.

How Container Runtimes matter in Kubernetes?

/ Cloud Computing. Recitation 5 February 14th, 2017

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Continuous Integration and Delivery with Spinnaker

Kubernetes The Path to Cloud Native

Microservice Deployment. Software Engineering II Sharif University of Technology MohammadAmin Fazli

InterSystems Cloud Manager & Containers for InterSystems Technologies. Luca Ravazzolo Product Manager

Merging Enterprise Applications with Docker* Container Technology

Hacking and Hardening Kubernetes

Kontejneri u Azureu uz pomoć Kubernetesa što i kako? Tomislav Tipurić Partner Technology Strategist Microsoft

Package your Java Application using Docker and Kubernetes. Arun

Building A Better Test Platform:

Flip the Switch to Container-based Clouds

S Implementing DevOps and Hybrid Cloud

Transcription:

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co thomas@endocode.com

HI! Thomas Fricke thomas@endocode.com CTO Endocode System Automation DevOps Cloud, Database and Software Architect

ENDOCODE highquality software solutions best software engineering practices: test driven well known open source projects: https://github.com/endocode diverse range of technologies decades of experience software development, team management 100000s of server years in public and private clouds Be it web, mobile, server or desktop we use: open source meet any challenge

F.E. A FEW DAYS AGO: FIXING A BUG Bug hunt in fleet Found the bug in a Go library: https://golang.org/pkg/crypto/ Fixed!!! https://goreview.googlesource.com/#/c/20687/

MORE BUGFIX EXAMPLES Application breaks systemd problem NO! journald problem analysis: application writes a log line longer than the kernel buffer used by journald FIX: enlarge the kernel buffer Push fix to the upstream kernel

AGENDA Containers or Virtualization Kubernetes CoreOS Starting point Migration Case Study: immmr Success, challenges, what is missing

CONTAINER OR VIRTUALIZATION Topic Container Virtualisation Isolation OS Level, OS namespaces CPU Level: Ring 0/Ring 3 foreign CPU no yes, with emulation foreign kernels, OS no yes kernel is common emulated devices no yes security host devices direct virtio driver security CPU performance 100% 95% IO performance 100% <<100% root isolation yes yes USER directive CPU cache attacks easy possible PoC?

Kubernetes Greek for Helmsman ; also the root of the words governor and cybernetic Runs and manages containers Inspired and informed by Google s experiences and internal systems Supports multiple cloud and baremetal environments Supports multiple container runtimes 100% Open source, written in Go Manage applications, not machines

The 10000 foot view kubelet API CLI apiserver etcd kubelet scheduler UI controllers users kubelet master nodes Google Cloud Platform

All you really care about Container Cluster API UI Google Cloud Platform

CoreOS

CoreOS trusted computing Cluster access Kubernetes Container Integrity rkt OS Integrity CoreOS Linux Hardware Firmware TPM TPM

ECOSYSTEM Torus

STARTING POINT ARCHITECTURE

WE NEVER START FROM SCRATCH Almost no project starts from a green field Technical debt environments not made for microservices

strict layered architecture separation of stateless and persistent data inside the pods developers are free to use what they want contract is binding to the outside

EXISTING HETEROGENEOUS ENVIRONMENT Programming languages and their runtimes Various databases from various generations SQL NoSQL Local and sessions storage Message queueing

SEMIAUTOMATED DEPLOYMENT Deployment chain automation Knowledge about staging and release processes typically implicit and critical

VM CLUSTER BASED ARCHITECTURES Assumes complete OS Package management Configuration management (at runtime)

MIGRATION

FROM VMs TO PODS OS instances microservices in Pods pods are containers sharing the same fate created together running on same node terminationg together one network address shared volumes

FROM VMs TO PODS VM cluster Pods running on Kubernetes cattle: stateless containers pets: databases configuration management and run time separation of build time

STEP 1: STATELESS AND STATEFUL SERVICES where to keep state? A tradeoff provider lockin selfmanaged overhead cattle, no pets mindset: ephemeral deployment units

STEP 2: FRONT END AND BUSINESS LOGIC Migrate frontend to a stateless, loadbalanced Kubernetes service Make everything explicit Firewall and loadbalancer frontends web mobile native embedded IoT TV caching cusiness logic persistence

STEP 3: STANDARDISED DEPLOYMENT PIPELINE dev/test/prod, more stages possible (QA, ) parametrization etcd environment variables secrets in kubernetes logging (rsyslog, ELK, splunk) Services, labels not every utility needs to be container specific measurements f.e. prometheus metrics (easy to integrate in apps and services)

STEP 3: FRONT END AND BUSINESS LOGIC Avoid privileged special applications application server LAMP stack separating concerns web Interface application service scalable through parallelism

ARCHITECTURE WRAP UP Desired Architecture Cleanups Ready to Rock

CASE STUDY

immmr one number for every need immmr combines the best of Internet base communication with the advantages of mobile communication immmr makes it possible to use a single mobile number from any device

immmr one number for every need Coming later in 2016: Launch as an independent, open communications service for voice, messaging and video telephony in the second half of 2016. The service developed by immmr GmbH, a subsidiary of Deutsche Telekom in Berlin, is currently being tested in selected European countries. http://www.immmr.com/

FROM THE TRENCHES Easy: Java with SpringBoot Python Hard: Ruby Gems Separation build deployment no compiler in production change to a static Ruby binary traveling ruby adapt to database supported by your cloud provider ruby hersion hell: rvh^hm

FROM THE TRENCHES Lessons learned preparing for a security audit: this needed to be done anyway separation of stateless and persistent services is a good idea anyway and with containers really important Dockerfiles need careful design to be fast private registry for images recommended (same region) quay.io container life cycle monitoring CVE database

RESULTS AND EXPERIENCES Scalable, kubified application Reduced technical debt and implicit knowledge Standardised processes and APIs for services management Pods are containers sharint the same fate Service as loadbalanced entry point Previously, practises varied between projects Pod as deployment unit, single process per container Service architecture as it always should have been :) external service no LB cluster hassle smaller deployments

BUSINESS VALUE faster deployments: faster time to market more and faster testing more teams possible faster deployment better quality less maintenance in operations less load simpler deployments

RESULTS AND EXPERIENCES Separation of buildtime and runtime PODs should require only minimal parametrization for being deployed Secrets Environment variables Ongoing debate on role of configuration management, our assumption: Configuration management is a buildtime issue It should not be deployed with the container

SUCCESS, CHALLENGES, WHAT IS MISSING

CONTAINER LIFECYCLE MANAGEMENT Part 1: Buildtime related Audits, scanning of container content in the registry Management of ephemeral configuration (as in regular scheduled updates of keys, ) Stopgap: rebuild container often, deploy new versions Leaner containers immutable containers on immutable CoreOS incredibly shrinking deployments

CONTAINER LIFECYCLE MANAGEMENT Part 2: Runtime related Monitoring of pods, containers and apps/processes Lifecycle management Cleanup of nodes (minions) after POD endoflive Issue with multitenant readiness Cleanup, issue of isolation beyond individual process (in container)

BEST PRACTISES & SIDE EFFECTS Best practice for deployment pipelines/continuous delivery The last thing that is still mostly handmade for each project Often violates infrastructure is code paradigm Side effects of rolling updates Database migrations Difficult to roll back, structural changes stay behind or require global lock Solutions are being developed (e.g. crate.io)

CONTAINERIZING APPLICATIONS Baggage: runtimes of existing program environments (Java, Rails, ) package management: gems, eggs, npm, external jars this is not specific to containers Tradeoff between maintenance and migrating to containerfocused languages like Go

DOES IT SCALE IN REAL LIFE?

YES scaling by country or singletenant and multitenant use cases surprisingly, quite often VMs provide underlying isolation

YOUR PRIVATE KUBERNETES DATACENTER You need providers for: Storage Network Firewalls https://endocode.com/blog/ 2016/01/29/endocodecfgmgmtcamp/

MORE FROM ENDOCODE https://endocode.com https://endocode.com/blog/ https://endocode.com/trainingsoverview/ Visit us on GitHub https://github.com/endocode

Dive into Kubernetes! Watch our Webinar Dive into Kubernetes on our YouTube Channel https://youtu.be/8694ggjlpz8 Register for a free Google Cloud Platform Trial with $300 Google Cloud Platform Credits https://goo.gl/duzdwi Use another $200 partner credits https://goo.gl/eyldnt

QUESTIONS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback