Halifax DevOps - Meet-up - July.19 2017
1 like408 views
The document discusses the integration of Linux container platforms such as Kubernetes and OpenShift on Azure, focusing on pipeline automation using tools like Ansible for continuous integration and deployment. It outlines key benefits, features, and operational requirements of using these technologies, emphasizing improved security, time-to-market, and operational efficiencies. Additionally, the document features links to useful resources and highlights Arctiq's expertise and hiring opportunities.
Halifax DevOps - Meet-up - July.19 2017
- 1. Linux Container Platform on Azure (Kubernetes, OpenShift, Ansible Automation) Pipeline Automation (From Code to Containers, Automated CI / CD on Azure //Halifax DevOps Meetup Kyle Bassett - July 19, 2017 //thanks to
- 2. //today’s expedition //Introductions Who is Arctiq? Docker to Docker Inc to OCI to Kubernetes to OpenShift Ansible / Ansible Tower - What is it? What can it do? Why Azure, What services are we using?, Why? //Demo’s Azure Infrastructure Automation via Ansible Tower OpenShift Container Platform Build via Ansible A quick look into OpenShift Compute Platform Continuous Delivery and CI/CD Pipeline Automation //Social Stuff Open Discussion Beer !!!
- 5. //arctiq’s focus - mvp and business value Trending, Visibility, and Feedback Loops Security Hardening and Access Management Automation and Orchestration Standardization, Hardened Imaging, Centralized Management, and Audit Reporting DEVELOPERS Self-Service Managed Container Platform Fail-Fast + Fix-Fast Mindset Freedom to Focus on Development THE BUSINESS Time-to-Market Advantages Operational Efficiencies Quality Software Speed and Agility IT OPERATIONS Standardized Frameworks Automated Repeatable Tasks Simplified Infrastructure Improved Security
- 6. //docker 101 ● Docker is a software technology providing containers ● Promoted by the company Docker Inc. ● Docker provides an additional layer of abstraction and automation of operating-system-level virtualization on Linux and Windows. ● Docker uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces, and a union-capable file system such as OverlayFS and others ● This allows independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines.
- 8. //docker vs docker inc ● Docker is an open source software platform to create, deploy and manage virtualized application containers on a common operating system (OS), with an ecosystem of allied tools. ● https://mobyproject.org/ ● Docker Inc. - the company that originally developed Docker, supports a commercial edition and is the principal sponsor of the open source tool.
- 9. //docker vs open container initiative Mission Statement ● The mission of the Open Container Initiative (OCI) is to promote a set of common, minimal, open standards and specifications around container technology Governing principles of the OCI? ● Technology leadership ● Influence through contribution ● Limited scope, limited politics ● Minimalist structure ● Representative leadership ● Adherence to anti-trust regulations Why? ● Not bound to higher level constructs such as a particular client or orchestration stack, ● Not tightly associated with any particular commercial vendor or project, and ● Portable across a wide variety of operating systems, hardware, CPU architectures, public clouds, etc.
- 10. //we need more Scheduling Decide where to deploy containers WE NEED MORE THAN JUST CONTAINERS Lifecycle and health Keep containers running despite failures Discovery Find other containers on the network Monitoring Visibility into running containers Security Control who can do what Scaling Scale containers up and down Persistence Survive data beyond container lifecycle Aggregation Compose apps from multiple containers
- 12. //kuberneres 101 WHAT DO I GET WITH KUBERNETES? Kubernetes satisfies a number of common needs of applications, such as: ● co-locating helper processes, facilitating composite applications and preserving the one-application-per-container model ● mounting storage systems ● distributing secrets ● application health checking ● replicating application instances ● horizontal auto-scaling ● naming and discovery ● load balancing ● rolling updates ● resource monitoring ● log access and ingestion ● support for introspection and debugging ● identity and authorization
- 13. //The Illustrated Children’s Guide to Kubernetes https://youtu.be/4ht22ReBjno
- 14. //ok so what’s it do?
- 15. //environment(s)
- 16. //container(s)
- 17. //kubernetes
- 18. //labels(s)
- 19. //pod(s)
- 21. //service(s)
- 22. //volumes(s)
- 23. //namespace(s)
- 24. //but operations needs tools OPERATIONAL & PLATFORM REQUIREMENTS NETWORKING IMAGE REGISTRY ENTERPRISE SUPPORT & INSURANCE APPLICATION SERVICES METRICS & LOGGING LIFE CYCLE MANAGEMENT SELF SERVICE & API’S
- 25. //and then there’s more and more... OK - WHAT ELSE? Routing & Load Balancing Multi-tenancy CI/CD Pipelines Role-based Authorization Capacity Management Chargeback Vulnerability Scanning Container Isolation Image Build Automation Quota Management Teams and Collaboration Infrastructure Visibility Training & Education
- 26. //openshift 101 SELF-SERVICE APP SERVICES APP LIFECYCLE MGMT METRICS AND LOGGING NETWORK Bring your own PaaS physical virtual private cloud any public cloud > = IDE Integration Enterprise Support
- 27. //High Availability - Scale-Out Architecture
- 28. //Namespaces Explained Namespaces - Project Isolation ● Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces. ● Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. Start using namespaces when you need the features they provide. ● Namespaces provide a scope for names. Names of resources need to be unique within a namespace, but not across namespaces. ● Namespaces are a way to divide cluster resources between multiple uses (via resource quota).
- 29. //Eco-system of tooling example PHYSICAL SERVERS VIRTUAL SERVERS PRIVATE CLOUD PUBLIC CLOUD MANAGED SERVICE IDM Security Tools Developer ToolsInfrastructure Automation Bring your own PaaS Infrastructure Identity Ops Tooling
- 30. //ansible automation MODERNIZE DEVOPS MIGRATE Automate existing processes Manage legacy like DevOps Model everything Deploy continuously Define applications once Re-deploy anywhere
- 31. //ansible for everyone SIMPLE POWERFUL AGENTLESS App deployment Configuration management Workflow orchestration Orchestrate the app lifecycle Human readable automation No special coding skills needed Tasks executed in order Get productive quickly Agentless architecture Uses OpenSSH & WinRM No agents to exploit or update More efficient & more secure
- 32. //how ansible works ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PUBLIC / PRIVATE CLOUD CMDB USERS INVENTORY HOSTS NETWORKING PLUGINS API MODULES
- 33. //how ansible works ANSIBLE’S AUTOMATION ENGINE ANSIBLE PLAYBOOK PUBLIC / PRIVATE CLOUD USERS INVENTORY HOSTS NETWORKING PLUGINS API MODULES CMDB CLOUD: OpenStack, VMware, EC2, Rackspace, GCE, Azure, Spacewalk, Hanlon, Cobbler CUSTOM CMDB
- 34. //azure + ansible Requirements Authentication Variables ● Active Directory Username/Password ● Service Principal Credentials Using the Azure Resource Manager modules requires having Azure Python SDK installed on the host running Ansible. $ pip install "azure==2.0.0rc5" Specify in $HOME/.azure/credentials ● AZURE_CLIENT_ID ● AZURE_SECRET ● AZURE_SUBSCRIPTION_ID ● AZURE_TENANT
- 35. //azure modules ● azure - create or terminate vm in azure ● azure_rm_deployment - create or destroy ARM template deployments ● azure_rm_publicipaddress - Manage Azure Public IP Addresses ● azure_rm_publicipaddress_facts - Get public IP facts ● azure_rm_resourcegroup - Manage Azure resource groups ● azure_rm_storageaccount - Manage Azure storage accounts
- 36. //playbook example --- - name: azure automation hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: Create storage account azure_rm_storageaccount: resource_group: testing name: testaccount001 Account_type: Standard_LRS
- 37. //ansible tower CONTROL SIMPLE POWERFUL AGENTLESS KNOWLEDGE DELEGATION TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE. AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE. Scheduled and centralized jobs Visibility and compliance Role-based access and self-service Everyone speaks the same language Designed for Multi-tier deployments Predictable, reliable, and secure
- 38. //what is ansible tower? Ansible tower is an enterprise framework for controlling, securing and managing your Ansible automation – with a UI and RESTful API. • Role-based access control keeps environments secure, and teams efficient. • Non-privileged users can safely deploy entire applications with push-button deployment access. • All Ansible automations are centrally logged, ensuring complete auditability and compliance.
- 39. //automate everything USE CASES USERS ANSIBLE PYTHON CODEBASE OPEN SOURCE MODULE LIBRARY PLUGINS CLOUD AWS, GOOGLE CLOUD, AZURE … INFRASTRUCTURE LINUX, WINDOWS, UNIX … NETWORKS ARISTA, CISCO, JUNIPER … CONTAINERS DOCKER, LXC … SERVICES DATABASES, LOGGING, SOURCE CONTROL MANAGEMENT TRANSPORT SSH, WINRM, ETC. AUTOMATE YOUR ENTERPRISE ADMINS ANSIBLE CLI & CI SYSTEMS ANSIBLE PLAYBOOKS …. ANSIBLE TOWER SIMPLE USER INTERFACE TOWER API ROLE-BASED ACCESS CONTROL KNOWLEDGE & VISIBILITY SCHEDULED & CENTRALIZED JOBS CONFIGURATION MANAGEMENT APP DEPLOYMENT CONTINUOUS DELIVERY SECURITY & COMPLIANCE ORCHESTRATIONPROVISIONING
- 41. //so what are we building - architecture 101
- 42. //CI //CD (Continuous Integration, Continuous Deployment, Continuous Delivery) //Pipeline Delivery Automation
- 43. //why ? - simple goals - process automation
- 44. //the road to continuous delivery
- 45. //the need for an automation engine
- 47. //local machine development using CDK
- 48. //Registry Strategies - Environment Promotion Another Option
- 49. oc new-project dev --display-name="Tasks - Dev" oc new-project stage --display-name="Tasks - Stage" oc new-project cicd --display-name="CI/CD" oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n dev oc policy add-role-to-user edit system:serviceaccount:cicd:jenkins -n stage oc process -f cicd-template.yaml | oc create -f - Example - https://github.com/daniyalj/openshift-cd-demo/blob/ocp-3.4/cicd-template.yaml
- 52. //continuous deployment workflow ● Each commit drives a build & deployment create a “baked” application container in the registry in the development project / environment (S2i example) ● Upon success the application container is pulled from the development project and deployed into the Testing / QA project / environment ● Think how we handle war’s and jar’s today, we manage the compiled artifact. The container image is the new artifact and we utilize the same governance processes that exist today. ● This workflow can extend to production by introduction of the required enterprise controls. ● The only way to get code into production is to start in Dev > QA > ...
- 55. //Join Arctiq’s Expedition We’re Hiring!!! http://www.arctiq.ca/careers