Real World Experiences: Cloud Foundry on Windows
Introductions Steven Benario Strategic Product Owner, Pivotal @sbenario 2 Matthew Horan Manager, Software Engineering, Pivotal mhoran
.NET Development State of the World 3
Typical ASP.NET Deployment Provision some servers Install the necessary MSI s Configure and maintain IIS App Pools, Machine.config, GAC (Global Assembly Cache) Servers are long-lived snowflakes Do you know the names of any of your IIS servers? Do any of them have quirks? Oh yeah, well the Tabasco server has a slow disk, so it ll take a little longer to reboot Snowflakes everywhere! Do you know how to re-build all the servers in an emergency? No ability for 3 R s Security (Rotate, Repair, Repave) 4
Cloud Foundry to the rescue But wait, that s only for Linux!
Building Cloud Foundry for Windows Garden Windows BOSH Windows
Why BOSH? BOSH is the way to deploy Cloud Foundry BOSH enforces immutable infrastructure servers are no longer long lived pets. They can be rebuilt. Easily and definitively. Rotate, Repair, Repave Cohesive deployment process across all of CF No more special steps!
State of.net on Cloud Foundry Windows support became GA in October, 2015 Different deployment than Diego Linux BOSH Windows (in Beta now) Generator, MSI, cell creation Super easy!.net Core (Windows AND Linux) Steeltoe Project and there s a book!
Building for Cloud Foundry (generally) 12-factor applications https://12factor.net/ Use declarative formats for setup automation, to minimize time and cost for new developers joining the project; Have a clean contract with the underlying operating system, offering maximum portability between execution environments; Are suitable for deployment on modern cloud platforms, obviating the need for servers and systems administration; Minimize divergence between development and production, enabling continuous deployment for maximum agility; And can scale up without significant changes to tooling, architecture, or development practices. Microservice all the things! Continuous delivery
So what have we learned?
Problem: Database Creation and Authentication How are databases created in your organization? DBA? IT? In one example, we moved a legacy app over to PCF in 4 weeks, but took 2 months to get the Database created! Any machine on the network can just talk to database? Wait, that s just crazy. You really do that? Windows Domain Authentication is often built in and free, so it becomes the de-facto standard in Windows development shops
Solution: Cloud Foundry Service Brokers! Service brokers manage creation of databases and credentials. Credentials are provided to applications when needed, and can be revoked independent of the database. 13
Problem: Implicit Application Authentication It s easy to use Windows authentication to protect Web applications. Using Windows auth with DC/LDAP integration and centralized user database is easy for developers But doesn t work outside of Domain-joined Windows Servers
Solution: Use UAA for app authentication Refactoring to utilize OAuth enables cross-platform, standardized support. Allows for building mobile apps, cross-platform desktop apps, as well as Web. UAA supports LDAP backend, which can integrate with Windows domain controllers. 15
Problem: Unknown app dependencies Security module somehow present on the host system, present in Web.config but nobody knows where it came from, injected by another team Not using NuGet or other dep management system for library deps, means random DLLs installed on the system somehow E.g. DB2 drivers We spent a week tracking down where this random dependency in our machine.config came from, and eventually found out that a security team was injecting it via group policy!
Solution: Use a dependency mgmt system NuGet is great Bin-deploy everything Some deps don t support this (e.g. DB2). Work with your vendors or migrate off. Keep source code in version control. 17
Problem: Session store State may be stored locally on the server, which requires sticky sessions While CF does support sticky sessions (via jsessionid), this is an anti-pattern
Solution: Use a DB for session storage! Should be easily configurable for MySQL, Redis, etc. (Both available for Pivotal Cloud Foundry) 19
Problem: Logging Historically, developers often use the Windows Event Log Anyone search through 2GB of XML lately? You don t know where the app is running in a distributed system
Solution: Use a configurable logging framework e.g. log4net log4net ConsoleAppender writes to the expected location for loggregator aggregation. Simply change the logging mechanism and retrieve app logs by `cf logs`. Cloud Foundry utilizes loggregator to aggregate application logs and present them to the developer and operator via cf logs 21
Problem: Custom ISAPI handlers ISAPI handlers have a strong legacy because they gave developers so much power. With great power comes great responsibility e.g. PDF generation. Using shared memory for some sort of storage.
Solution: Don t do that. 23
Problem: Configuration sprawl Often, application configuration is a snowflake on the server Configs applied to the disk, multiple files, Web.config, Machine.config Can you replicate an web server today?
Solution: Store config in the environment Use environment variables or custom user provided services for environment config (12 factors) Don t snowflake 25
Other Gotchas Cross-cell encryption Encrypted cookies across multiple instances of an app? Utilizes MachineKey from Web.config (actually, Machine.config) Instead, override MachineKey in Web.config Global Assembly Cache (GAC) Don t use it No network shares or local persistent disk. Cells are ephemeral, app may move around on cells. Anything written to disk will be lost. Also, it won t be shared.
What would be better? The future! Steeltoe Spring Cloud clients for ASP.NET and ASP.NET Core Spring Cloud Config Server Service Discovery with Eureka Spring Cloud Connectors Works with OSS or Spring Cloud Services Open Source! Spring Cloud Connectors SQL Server + EF6 (Windows / Greenhouse) mysql Redis RabbitMQ PostgreSQL Steeltoe RC1 available 7-October!
The Future! Of garden-windows and Greenhouse Windows 2016 is supported today. https://github.com/cloudfoundry/garden-windows Improved container isolation and network virtualization to come in Server 2016 BOSH Windows GA
.NET as a First Class Citizen in CF Today, we talked today about lessons learned from the field BOSH Windows simplifies the operator experience And is cohesive with the rest of CF.NET Core is fully supported Imagine Strangling the monolith New development with.net 4.6 +.NET Core Using Steeltoe to build great Cloud Native Applications Include legacy dependencies as needed Transition on your own timeframe to.net Core on Linux
Thanks to our OSS contributors! Current team of OSS contributors: Ben Moss (Pivotal) David Morhovich (Pivotal) Amin Jamai (Pivotal) Charlie Vieth (Pivotal) Sunjay Bhatia (Pivotal) Previous contributions from: CenturyLink HP
We re hiring!