SlideShare a Scribd company logo

Ippevent : openshift Introduction

kanedafromparis
kanedafromparis

This is a slide desk presenting openshift in practice.

Technology
1 of 19
Download to read offline
Docker/ Openshift introduction Openshift Cluster in practice
Docker/ Openshift introduction Agenda ● Infrastructure ● Storage ● Monitoring ● Metrics ● Logs ● Backup ● Security 2
Docker/ Openshift introduction Infrastructure 3 Global Infrastructure
Docker/ Openshift introduction Infrastructure 3x Masters + etcd : • 4 (v)CPUs • 16 GB RAM • 100 GB HDD 4 Masters, etcd cluster and nodes are VMWare ESX Virtual Machines etcd performances issues since 3.4 ! • Separated from Masters • Redhat recommends SSD drives • Upgrade blocked ... nodes : 2 to n per zone : • 16 (v)CPUs • 32 GB RAM • 600 GB HDD Infra nodes : 2 to n : • 4 (v)CPUs • 16 GB RAM • 340 GB HDD Logs : • High memory, CPU and disk consumption !!! • Move to Physical Servers (40 Threads, 30 TB HDD) Global capacity to support a Rolling upgrade and reboot
Docker/ Openshift introduction Infrastructure : capacity planning 5 oc describe node node001 Name: node001 Role: Labels: kubernetes.io/hostname=node001, …. Taints: <none> CreationTimestamp:Tue, 24 May 2016 16:58:10 +0200 Phase: Conditions: Type Status ... Reason Message ---- ------ ----------------- ------------------ ------ Ready True ... ... KubeletReady kubelet is posting ready status OutOfDisk False ... ... KubeletHasSufficientDisk kubelet has sufficient disk space available MemoryPressure False ... ... KubeletHasSufficientMemory kubelet has sufficient memory available Namespace Name CPU Requests CPU Limits Memory Requests Memory Limits --------- ---- ------------ ---------- --------------- ------------- xxxxxxx zzzz-www-9-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) xxxxxxx zzzz-wcw-9-123ee 500m (3%) 1 (6%) 1024Mi (0%) 2Gi (3%) xxxxxxx zzzz-waw-7-123ee 500m (3%) 1 (6%) 512Mi (0%) 1Gi (3%) xxxxxxx zzzz-wsw-5-123ee 500m (3%) 1 (6%) 256Mi (0%) 4Gi (3%) xxxxxxx zzzz-qww-4-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) Allocated resources: (Total limits may be over 100 percent, i.e., overcommitted. CPU Requests CPU Limits Memory Requests Memory Limits ------------ ---------- --------------- ------------- 2500m (15%) 5 (31%) 2048Mi (6%) 9Gi (44%) Capacity: alpha.kubernetes.io/nvidia-gpu: 0 cpu: 16 memory: 32780448Ki pods: 110 Allocatable: alpha.kubernetes.io/nvidia- gpu: 0 cpu: 14 memory: 30731670Ki pods: 110 System Info: ... Remember to reserve resources for the node itself
Docker/ Openshift introduction Storage Criteria : • Type : NFS, GlusterFS, EBS, GCE, iSCSI, FC, Azure, … • Access mode : RWO (for one pod), RWX (shared), ROX (read only) • Capacity : volume size, IOPS, throughput. StorageClass : • Storage definition for dynamically provisioned on demand storage • Can be associated to a specific “storage-admin” role • Currently only for “cloud” resources Phase : • Available / Bound / Released 
 / Failed Recycling Policy : • Retain / Recycle 6 Persistent Storage
Docker/ Openshift introduction Storage 7 No SAN, no NAS, no cloud. So … What ? Build your own Storage Cluster ! Two big servers, Pacemaker, DRBD and XFS : NFS HA Scalable Storage Cluster
Docker/ Openshift introduction Monitoring Node liveness is done by kubernetes. Two kinds of checks for pod status : • Liveness probe : if not alive, pod will be restarted • Readiness probe : if not ready, traffic won’t be sent to this pod. If back, traffic will be back again. 8 Internal monitoring of pods and nodes status SHAME ! Don’t use openshift to hide your mistakes and incompetence Openshift won’t do functional testings and monitoring for you. Also associated to pod limits (see metrics), if limit is exceeded, pod is killed (and restarted).
Docker/ Openshift introduction Monitoring • Check the whole infrastructure : memory, cpu, load, storage, ... • But also processus, docker thinpools, pods, persistent volumes, … • Centreon + homemade scripts in shell and python with snmp and oc 9 External monitoring
Docker/ Openshift introduction Metrics • Integrated realtime metrics : heapster, hawkular and Cassandra • By default : Memory, CPU (millicores) and Network • View for pods, and aggregated view for services 10 Pods and services metrics • Metrics enable one great functionality : horizontal pod autoscaling ! • It can be associated with quotas (resource limits). If limits are exceeded, pod is killed and restarted. Number of Nodes Number of Pods Cassandra Storage growth speed Cassandra storage growth per day Cassandra storage growth per week 210 10500 500 MB per hour 15 GB 75 GB 990 11000 1 GB per hour 30 GB 210 GB
Docker/ Openshift introduction Logs Following best practice, pod log go to console/stdout 11 Log can be seen from the pod oc log mymicser-31-9koc7 -n lovely-project Don’t forget grep|sort|awk… Kubetail can be useful [Sat Jun 17 22:05:13.613952 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.613955 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614566 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614575 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx 122.138.20.1 - - [17/Jun/2017:22:05:13 +0200] "GET / HTTP/1.1" 200 29601 xxxx xx xx xx [Sat Jun 17 22:05:14.272141 2017] [:error] [pid 66435] [client 122.138.19.1:24097] xxxx xx xx xx
Docker/ Openshift introduction Logs / EFK Aggregation Elasticsearch A highly-available environment requires at least three replicas of Elasticsearch; each on a different host. Elasticsearch replicas require their own storage, but an OpenShift Container Platform deployment configuration shares storage volumes between all its pods. So, when scaled up, the EFK deployer ensures each replica of Elasticsearch has its own deployment configuration. • Dedicate node using Node Selector • Persistent Elasticsearch Storage (local storage) Fluentd Fluentd is deployed as a DaemonSet that deploys replicas according to a node label selector (which you can specify with the deployer parameter fluentd-nodeselector; the default is logging-infra-fluentd). You can configure Fluentd to send a copy of its logs to an external log aggregator, and not the default Elasticsearch, using the secure-forward plug-in Kibana To access the Kibana console from the OpenShift Container Platform web console Curator Curator allows administrators to configure scheduled Elasticsearch maintenance operations to be performed automatically on a per-project basis. Ops Cluster If you set enable-ops-cluster to true for the deployer, Fluentd is configured to split logs between the main ElasticSearch cluster and another cluster reserved for operations logs 12 $ oc label node/xxx logging-infra-fluentd=true
Docker/ Openshift introduction Logs / EFK Assumptions: 1. Which application: Apache 2. Bytes per line: 256 3. Lines per second load on application: 1 4. Raw text data → JSON Baseline (256 characters per minute → 15KB/min) The implication of keeping all those log need a lot of reflexion on : • What to keep ? • How long ? • How to use them on the long run ? You really need a project reflexion on the matter, because logs grow fast and can rapidly become unmanageable. 13 Sometime size matter Logging Infra Pods Storage Throughput 3 es 1 kibana 1 curator 1 fluentd 6 pods total: 90000 x 86400 = 7,7 GB/day 3 es 1 kibana 1 curator 11 fluentd 16 pods total: 225000 x 86400 = 24,0 GB/day 3 es 1 kibana 1 curator 20 fluentd 25 pods total: 225000 x 86400 = 32,4 GB/day
Docker/ Openshift introduction • Master / nodes backup →Git / ansible →etcd backup • PV backup →Backula, rsync... • Project backup →Images Docker.io, artifactory, …. →Object oc export …, Project level https://github.com/vbehar/openshift-git →PVC https://github.com/getupcloud/backup Backup 14 3 layers of back-up
Docker/ Openshift introduction Security 15 Dr. Egon Spengler: Don’t use root in your image Dr. Peter Venkman: Why? In Openshift Pods are launched with an arbitrary / random used ID. Thanks to user namespaces. Root is prevented by default. You can’t escape :) Your images must be adapted. Most docker hub images can’t be reused as such.
Docker/ Openshift introduction Security 16 Project side : thanks to cgroups and limits Remember : Petazzoni slides • cgroups : limits how much you can use (and gauge) • namespaces : limits what you can see (and therefore use) • Security context constraints : allow administrators to control permissions for pods. • Segregation by namespaces : projects are isolated from each other • Policies and roles at each level (cluster, project, resources, …) • Images : Image vulnerability scanning, (Xray / BlackDuck), Base images • Network : segregation between projects by default (openvswith, tags) : if you need to communicate, use services and routes EVEN in the same project. • Secrets : because you don’t want to spread hidden things in your templates or configuration files (credentials, keys, …), openshift handles them for you. • selinux : RHEL and docker
Docker/ Openshift introduction Copy an object from project-1 to project-2 oc export xx -n project-1 | oc create -n project-2 -f - Check container environment variable (first oc get dc) : for proj in $(oc get project -l type=lamp); do oc get po -n XXX -l app=mysql, version=5.6 done; Check container environment variable (first oc get dc) : oc get dc $DCTOINSPEC -n $DEV_PROJECT_NAME -o json | jq ".spec.template.spec.containers[]?.env" Check user access within project for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc describe policyBindings :default -n $PROJECTID | grep -C 1 $USENAME_TO_ADD ; done Check image SHA tagged OK for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc get is $PROJECTID -n $PROJECTID -o json| jq -r ".status.tags[]|select(.tag == "ok")|.items| max_by(.created)|.dockerImageReference" done Tips 17 Always this scripting
Docker/ Openshift introduction Questions ?
Docker/ Openshift introduction Annexes

Recommended

Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
kanedafromparis
 
Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018
kanedafromparis
 
OCI Image Spec
OCI Image SpecOCI Image Spec
OCI Image Spec
strikr .
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Cristian Consonni
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in Mesos
LinuxCon ContainerCon CloudOpen China
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshop
Sathish VJ
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
kanedafromparis
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
LinuxCon ContainerCon CloudOpen China
 

Recommended

Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
kanedafromparis
 
Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018
kanedafromparis
 
OCI Image Spec
OCI Image SpecOCI Image Spec
OCI Image Spec
strikr .
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Cristian Consonni
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in Mesos
LinuxCon ContainerCon CloudOpen China
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshop
Sathish VJ
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
kanedafromparis
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
LinuxCon ContainerCon CloudOpen China
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
Kento Aoyama
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)
rajdeep
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
Docker, Inc.
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCI
HungWei Chiu
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloud
strikr .
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
Akihiro Suda
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container Engine
Thuc Le Dong
 
Docker Intro
Docker IntroDocker Intro
Docker Intro
Ruben Taelman
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4
Binary Studio
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
rajdeep
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
Phil Estes
 
Container orchestration
Container orchestrationContainer orchestration
Container orchestration
Timo Derstappen
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Layne Peng
 
CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas Kolenkin
DataArt
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
Fabio Fumarola
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Meiyappan Kannappa
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
Jérôme Petazzoni
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 

More Related Content

What's hot

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
Boden Russell
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
Akihiro Suda
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
Fabio Fumarola
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 

What's hot (20)

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCI
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloud
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container Engine
 
Docker Intro
Docker IntroDocker Intro
Docker Intro
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
 
Container orchestration
Container orchestrationContainer orchestration
Container orchestration
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas Kolenkin
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
 

Similar to Ippevent : openshift Introduction

Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
David Timothy Strauss
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
javier ramirez
 

Similar to Ippevent : openshift Introduction (20)

Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah Watkins
 
Cncf meetup-rook
Cncf meetup-rookCncf meetup-rook
Cncf meetup-rook
 
Cncf meetup-rook
Cncf meetup-rookCncf meetup-rook
Cncf meetup-rook
 
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
 
Benchmarking Solr Performance at Scale
Benchmarking Solr Performance at ScaleBenchmarking Solr Performance at Scale
Benchmarking Solr Performance at Scale
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux Containers
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and Metrics
 
OpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for TomorrowOpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for Tomorrow
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Ippevent : openshift Introduction

  • 2. Docker/ Openshift introduction Agenda ● Infrastructure ● Storage ● Monitoring ● Metrics ● Logs ● Backup ● Security 2
  • 4. Docker/ Openshift introduction Infrastructure 3x Masters + etcd : • 4 (v)CPUs • 16 GB RAM • 100 GB HDD 4 Masters, etcd cluster and nodes are VMWare ESX Virtual Machines etcd performances issues since 3.4 ! • Separated from Masters • Redhat recommends SSD drives • Upgrade blocked ... nodes : 2 to n per zone : • 16 (v)CPUs • 32 GB RAM • 600 GB HDD Infra nodes : 2 to n : • 4 (v)CPUs • 16 GB RAM • 340 GB HDD Logs : • High memory, CPU and disk consumption !!! • Move to Physical Servers (40 Threads, 30 TB HDD) Global capacity to support a Rolling upgrade and reboot
  • 5. Docker/ Openshift introduction Infrastructure : capacity planning 5 oc describe node node001 Name: node001 Role: Labels: kubernetes.io/hostname=node001, …. Taints: <none> CreationTimestamp:Tue, 24 May 2016 16:58:10 +0200 Phase: Conditions: Type Status ... Reason Message ---- ------ ----------------- ------------------ ------ Ready True ... ... KubeletReady kubelet is posting ready status OutOfDisk False ... ... KubeletHasSufficientDisk kubelet has sufficient disk space available MemoryPressure False ... ... KubeletHasSufficientMemory kubelet has sufficient memory available Namespace Name CPU Requests CPU Limits Memory Requests Memory Limits --------- ---- ------------ ---------- --------------- ------------- xxxxxxx zzzz-www-9-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) xxxxxxx zzzz-wcw-9-123ee 500m (3%) 1 (6%) 1024Mi (0%) 2Gi (3%) xxxxxxx zzzz-waw-7-123ee 500m (3%) 1 (6%) 512Mi (0%) 1Gi (3%) xxxxxxx zzzz-wsw-5-123ee 500m (3%) 1 (6%) 256Mi (0%) 4Gi (3%) xxxxxxx zzzz-qww-4-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) Allocated resources: (Total limits may be over 100 percent, i.e., overcommitted. CPU Requests CPU Limits Memory Requests Memory Limits ------------ ---------- --------------- ------------- 2500m (15%) 5 (31%) 2048Mi (6%) 9Gi (44%) Capacity: alpha.kubernetes.io/nvidia-gpu: 0 cpu: 16 memory: 32780448Ki pods: 110 Allocatable: alpha.kubernetes.io/nvidia- gpu: 0 cpu: 14 memory: 30731670Ki pods: 110 System Info: ... Remember to reserve resources for the node itself
  • 6. Docker/ Openshift introduction Storage Criteria : • Type : NFS, GlusterFS, EBS, GCE, iSCSI, FC, Azure, … • Access mode : RWO (for one pod), RWX (shared), ROX (read only) • Capacity : volume size, IOPS, throughput. StorageClass : • Storage definition for dynamically provisioned on demand storage • Can be associated to a specific “storage-admin” role • Currently only for “cloud” resources Phase : • Available / Bound / Released 
 / Failed Recycling Policy : • Retain / Recycle 6 Persistent Storage
  • 7. Docker/ Openshift introduction Storage 7 No SAN, no NAS, no cloud. So … What ? Build your own Storage Cluster ! Two big servers, Pacemaker, DRBD and XFS : NFS HA Scalable Storage Cluster
  • 8. Docker/ Openshift introduction Monitoring Node liveness is done by kubernetes. Two kinds of checks for pod status : • Liveness probe : if not alive, pod will be restarted • Readiness probe : if not ready, traffic won’t be sent to this pod. If back, traffic will be back again. 8 Internal monitoring of pods and nodes status SHAME ! Don’t use openshift to hide your mistakes and incompetence Openshift won’t do functional testings and monitoring for you. Also associated to pod limits (see metrics), if limit is exceeded, pod is killed (and restarted).
  • 9. Docker/ Openshift introduction Monitoring • Check the whole infrastructure : memory, cpu, load, storage, ... • But also processus, docker thinpools, pods, persistent volumes, … • Centreon + homemade scripts in shell and python with snmp and oc 9 External monitoring
  • 10. Docker/ Openshift introduction Metrics • Integrated realtime metrics : heapster, hawkular and Cassandra • By default : Memory, CPU (millicores) and Network • View for pods, and aggregated view for services 10 Pods and services metrics • Metrics enable one great functionality : horizontal pod autoscaling ! • It can be associated with quotas (resource limits). If limits are exceeded, pod is killed and restarted. Number of Nodes Number of Pods Cassandra Storage growth speed Cassandra storage growth per day Cassandra storage growth per week 210 10500 500 MB per hour 15 GB 75 GB 990 11000 1 GB per hour 30 GB 210 GB
  • 11. Docker/ Openshift introduction Logs Following best practice, pod log go to console/stdout 11 Log can be seen from the pod oc log mymicser-31-9koc7 -n lovely-project Don’t forget grep|sort|awk… Kubetail can be useful [Sat Jun 17 22:05:13.613952 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.613955 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614566 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614575 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx 122.138.20.1 - - [17/Jun/2017:22:05:13 +0200] "GET / HTTP/1.1" 200 29601 xxxx xx xx xx [Sat Jun 17 22:05:14.272141 2017] [:error] [pid 66435] [client 122.138.19.1:24097] xxxx xx xx xx
  • 12. Docker/ Openshift introduction Logs / EFK Aggregation Elasticsearch A highly-available environment requires at least three replicas of Elasticsearch; each on a different host. Elasticsearch replicas require their own storage, but an OpenShift Container Platform deployment configuration shares storage volumes between all its pods. So, when scaled up, the EFK deployer ensures each replica of Elasticsearch has its own deployment configuration. • Dedicate node using Node Selector • Persistent Elasticsearch Storage (local storage) Fluentd Fluentd is deployed as a DaemonSet that deploys replicas according to a node label selector (which you can specify with the deployer parameter fluentd-nodeselector; the default is logging-infra-fluentd). You can configure Fluentd to send a copy of its logs to an external log aggregator, and not the default Elasticsearch, using the secure-forward plug-in Kibana To access the Kibana console from the OpenShift Container Platform web console Curator Curator allows administrators to configure scheduled Elasticsearch maintenance operations to be performed automatically on a per-project basis. Ops Cluster If you set enable-ops-cluster to true for the deployer, Fluentd is configured to split logs between the main ElasticSearch cluster and another cluster reserved for operations logs 12 $ oc label node/xxx logging-infra-fluentd=true
  • 13. Docker/ Openshift introduction Logs / EFK Assumptions: 1. Which application: Apache 2. Bytes per line: 256 3. Lines per second load on application: 1 4. Raw text data → JSON Baseline (256 characters per minute → 15KB/min) The implication of keeping all those log need a lot of reflexion on : • What to keep ? • How long ? • How to use them on the long run ? You really need a project reflexion on the matter, because logs grow fast and can rapidly become unmanageable. 13 Sometime size matter Logging Infra Pods Storage Throughput 3 es 1 kibana 1 curator 1 fluentd 6 pods total: 90000 x 86400 = 7,7 GB/day 3 es 1 kibana 1 curator 11 fluentd 16 pods total: 225000 x 86400 = 24,0 GB/day 3 es 1 kibana 1 curator 20 fluentd 25 pods total: 225000 x 86400 = 32,4 GB/day
  • 14. Docker/ Openshift introduction • Master / nodes backup →Git / ansible →etcd backup • PV backup →Backula, rsync... • Project backup →Images Docker.io, artifactory, …. →Object oc export …, Project level https://github.com/vbehar/openshift-git →PVC https://github.com/getupcloud/backup Backup 14 3 layers of back-up
  • 15. Docker/ Openshift introduction Security 15 Dr. Egon Spengler: Don’t use root in your image Dr. Peter Venkman: Why? In Openshift Pods are launched with an arbitrary / random used ID. Thanks to user namespaces. Root is prevented by default. You can’t escape :) Your images must be adapted. Most docker hub images can’t be reused as such.
  • 16. Docker/ Openshift introduction Security 16 Project side : thanks to cgroups and limits Remember : Petazzoni slides • cgroups : limits how much you can use (and gauge) • namespaces : limits what you can see (and therefore use) • Security context constraints : allow administrators to control permissions for pods. • Segregation by namespaces : projects are isolated from each other • Policies and roles at each level (cluster, project, resources, …) • Images : Image vulnerability scanning, (Xray / BlackDuck), Base images • Network : segregation between projects by default (openvswith, tags) : if you need to communicate, use services and routes EVEN in the same project. • Secrets : because you don’t want to spread hidden things in your templates or configuration files (credentials, keys, …), openshift handles them for you. • selinux : RHEL and docker
  • 17. Docker/ Openshift introduction Copy an object from project-1 to project-2 oc export xx -n project-1 | oc create -n project-2 -f - Check container environment variable (first oc get dc) : for proj in $(oc get project -l type=lamp); do oc get po -n XXX -l app=mysql, version=5.6 done; Check container environment variable (first oc get dc) : oc get dc $DCTOINSPEC -n $DEV_PROJECT_NAME -o json | jq ".spec.template.spec.containers[]?.env" Check user access within project for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc describe policyBindings :default -n $PROJECTID | grep -C 1 $USENAME_TO_ADD ; done Check image SHA tagged OK for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc get is $PROJECTID -n $PROJECTID -o json| jq -r ".status.tags[]|select(.tag == "ok")|.items| max_by(.created)|.dockerImageReference" done Tips 17 Always this scripting