A DEVOPS STATE OF MIND WITH DOCKER AND …res.cdn.sys-con.com/session/3394/Chris_Van_Tuin.pdfA...
Transcript of A DEVOPS STATE OF MIND WITH DOCKER AND …res.cdn.sys-con.com/session/3394/Chris_Van_Tuin.pdfA...
A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES
Chris Van Tuin Chief Technologist, West [email protected]
“In short, software is eating the world.” - Marc Andreessen, Wall Street Journal, August 2011
Open SourceV
5
DEV QA OPS
Walled off people, walled off processes, walled off technologies
“THROW IT OVER THE WALL”
WHAT CAN I.T. DO? I.T. CAN TURN OPS AND DEV INTO DEVOPS
“DevOps is a software development method that stresses communication, collaboration and integration between software developers and information technology (IT) professionals.”[1]
Applying many of the principles of Agile software development to the full application lifecycle and incorporating automation and monitoring with just a touch of Lean Manufacturing theory.
PEOPLE
PROCESS TECHNOLOGY
DEVOPS
8
DEV QA OPS
Cross-organization teams, walled off processes, walled off technologies
BREAK DOWN THE WALLS
“Configuration in code” • Standardized environments • Linux containers • Automated provisioning
WHAT ENABLES DEVOPS?
KEY CONCEPT: FAIL FAST AND RECOVER VS. NEVER FAIL
CI/CD: Automated testing and deployment • Continuous integration • Continuous delivery
WHAT ENABLES DEVOPS?
KEY CONCEPT: SMALL CHANGES = LESS RISK
Continuous innovation • Developer self-service • Rapid prototyping
WHAT ENABLES DEVOPS?
KEY CONCEPT: CULTURE CHANGE = ACCEPTANCE OF FAILURE
ORGANIZATIONS IMPLEMENTING DEVOPS
Source: 2014 State of DevOps Report Puppet Labs, IT Revolution Press, ThoughtWorks
DEVOPS VALUE IN ACTION: VELOCITY AT AMAZON AWS
SOFTWARE DEPLOYMENTS CAUSING AN OUTAGE
MEAN TIME BETWEEN DEPLOYMENTS
(SECONDS)
10,000
.001%11.6
MAX DEPLOYMENTS/ HOURBetter deployment quality 63%
Faster release frequency 63%
Improved process visibility 61%
FINANCIAL SERVICES COMPANY
Growth Competition
“It took 2 years after a competitive start-up launch to get a competing
product to market.”
FINANCIAL SERVICES COMPANY
“It could take 6 weeks to get a single word changed on
the web site.”
Agility PredictabilityGrowth Competition
“It took 2 years after a competitive start-up launch to get a competing
product to market.”
FINANCIAL SERVICES COMPANY
“It could take 6 weeks to get a single word changed on
the web site.”
“When developers work in Node.js, they can change the
code they’re working on, direct it to run, and see whether it
works-in the blink of an eye.”
Productivity
Agility PredictabilityGrowth Competition
“It took 2 years after a competitive start-up launch to get a competing
product to market.”
FINANCIAL SERVICES COMPANY
“It could take 6 weeks to get a single word changed on
the web site.”
“When developers work in Node.js, they can change the
code they’re working on, direct it to run, and see whether it
works-in the blink of an eye.”
“The environment, while stable, didn’t use the sexiest
technologies, which made recruiting difficult.”
RecruitingProductivity
Agility PredictabilityGrowth Competition
“It took 2 years after a competitive start-up launch to get a competing
product to market.”
THE NEW OPERATING SYSTEM
Orchestrator: Model the app across multiple hosts/containers
Scheduler: Provide service and APIs for placing the app onto resources
APP
SERVICE 1 SERVICE 2
SERVICE 3 SERVICE 4
SCHEDULER
RED HAT ENTERPRISE
LINUX
RED HAT ENTERPRISE
LINUX
RED HAT ENTERPRISE
LINUXContainer pool : Provide resources to run app
24
WHAT ARE LINUX CONTAINERS?
• Used to create containers for software applications / microservices
• Package Once Deploy Anywhere
• Containers provide lightweight isolation of process, network, filesystem spaces
• Docker builds on Linux containers, adds an API, image format, runtime, and a delivery and sharing model
HOST OS
SERVER
CONTAINER
LIBS
APP
CONTAINER USE CASES
DevOpsApp
Modernization Microservices
Availability Real-time Scale Diet VM
Infrastructure Optimization Big Data
100%
CI/CD Hardware Modernization
27
docker.io RegistryPrivate
RegistryRed Hat Certified
FROM fedora:latest CMD echo “Hello”
Dockerfile
Physical, Virtual, Cloud
“docker build or commit”
Image Container
“docker push or pull <IMAGE_ID>”
“docker run <IMAGE_ID>”
Build RunShip
BUILD, SHIP, RUN
public class HelloWorld {
public static void main(String[] args) { System.out.println ("Hello, World"); }}
#include<stdio.h>
main(){ printf("Hello World");}
var http = require('http');var server = http.createServer( function (request, response) { response.writeHead(200, {"Content-Type": "text/plain"}); response.end("Hello World\n");});server.listen(8000);
$_ = "hello world";$_ =~ s/^(\b\w)(\B\w+)\s(\D)(\D+)$/ \U$1\E$2 \U$3\E$4\!\n/;print $_;
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
<?php Print "Hello, World!"; ?>
Docker provides a language agnostic packaging format and runtime API
CONSISTENT PACKAGING FORMAT
public class HelloWorld {
public static void main(String[] args) { System.out.println ("Hello, World"); }}
#include<stdio.h>
main(){ printf("Hello World");}
var http = require('http');var server = http.createServer( function (request, response) { response.writeHead(200, {"Content-Type": "text/plain"}); response.end("Hello World\n");});server.listen(8000);
$_ = "hello world";$_ =~ s/^(\b\w)(\B\w+)\s(\D)(\D+)$/ \U$1\E$2 \U$3\E$4\!\n/;print $_;
PHYSICAL VIRTUAL PRIVATE CLOUD PUBLIC CLOUD
<?php Print "Hello, World!"; ?>
bash glibc
...
bash glibc
jre
libssl libv8
...
bash glibc
nodejs perl php
...
bash glibc
Package dependencies ensure consistency and portability*
PACKAGED DEPENDENCIES
34
docker.io RegistryPrivate
RegistryRed Hat Certified
FROM fedora:latest CMD echo “Hello”
Dockerfile
“docker build or commit”
Image
“docker push or pull <IMAGE_ID>”
Build Ship
BUILD, SHIP, RUN
64% of official images in Docker Hub contain high priority security vulnerabilities
examples: ShellShock (bash)
Heartbleed (OpenSSL) Poodle (OpenSSL)
Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)
WHAT’S INSIDE THE CONTAINER MATTERS
OpenSCAP
ReportsScan
SCAP Security Guide
for RHEL
CCE-27002-5 Set Password Minimum Length
Content
Scan physical servers, virtual machines, docker images and containersfor Compliance (CCEs) and known Vulnerabilities (CVEs)
38
WHAT ARE MY OPTIONS?
Security-by-Luck • Unsupported distro • Public registry • End-of-lifed
Security-by-Firewall • No patch management • Untrusted containers • selinux disabled
Trusted Platform • Supported distro • Patch management • Trusted containers & host • Private registry • Container scanning • selinux enforcing
39
docker.io RegistryPrivate
RegistryRed Hat Certified
FROM fedora:latest CMD echo “Hello”
Dockerfile
Physical, Virtual, Cloud
“docker build or commit”
Image Container
“docker push or pull <IMAGE_ID>”
“docker run <IMAGE_ID>”
Build RunShip
BUILD, SHIP, RUN
ContainersTraditional OS
HARDWARE
HOST OS
HARDWARE
HOST OS
CONTAINER
LIBS
APP A
LIBS A LIBS B LIBS LIBS
APP A APP B
CONTAINER
LIBS
APP B
TRADITIONAL OS VS CONTAINERS
ADD NAME (View > Master > Slide master)
More serious workloads require orchestration like Kubernetes to offload management overhead
ADD NAME (View > Master > Slide master)
Once created, Kubernetes will keep the environment online as described in the json file
JSON Kubernetes
ADD NAME (View > Master > Slide master)
Once created, Kubernetes will keep the environment online as described in the json file
JSON Kubernetes
ADD NAME (View > Master > Slide master)
Once created, Kubernetes will keep the environment online as described in the json file
JSON Kubernetes
ADD NAME (View > Master > Slide master)
Once created, Kubernetes will keep the environment online as described in the json file
JSON Kubernetes
ADD NAME (View > Master > Slide master)
Admins won’t get stuck in middle of a deployment
Version 1 Version 1.2
ADD NAME (View > Master > Slide master)
Tests and certification can be done before customers access it
Version 1 Version 1.2 Tests / CI
ADD NAME (View > Master > Slide master)
Once ready, the new version is used and the old version can be removed
Version 1 Version 1.2
ADD NAME (View > Master > Slide master)
Rollbacks can be done using the same method if desired
Version 1.2
Any App • Any Docker Image
• Any Source 2 Image
• Big Data
• Web, App, DB
• Batch
• Legacy, Persistent
• .NET
Anywhere • Dev, Test, Prod
• Private Cloud
• Public Cloud
• Physical
• Virtual
• Laptop
• Mac,Win,Lin CDK
Any Scale • Cloud burst
• Multi-DC
• Scale Up/Down
• Web Scale
• 1k hosts
• 30k pods
Any Time • Self-Service
• DevOps
• CI/CD
• Auto Build
• Auto Deploy
• Security Scan
• Health Check
OPENSHIFT: The Docker and Kubernetes Container Platform
DEVOPS ROI
Improve business agility
Improve business predictability
Improve developer productivity
Improve operational efficiency and costs
Deployment Frequency
Change Volume
Lead Time
DeploymentFailure Rate
Mean Time to Recover
99.999
Service Availability
DEVOPS METRICS