2. @ramnivas
• Spring framework committer
• Cloud Foundry committer
• Main interests
– Cloud computing
– Aspect-oriented programming
– Scala and functional programming
• Author of books and articles
– AspectJ in Action (1st and 2nd edition)
• Speaker at many professional conferences
– JavaOne, JavaPolis, SpringOne, Software Development, No Fluff Just Stuff, EclipseCon,
O’Reilly OSCON etc.
• Active involvement in AspectJ, Spring, and Cloud Foundry since their
early form
5. Technologies “Я” Us
Access logs Network
Routing
Hardware failures DNS
Storage
Load balancing
Auditing Rolling Updates
User management
Security DoS
Backups DBA
OS Monitoring
Patches
6. Technologies “Я” Us
Access logs Network
Routing
Hardware failures DNS
Storage
Load balancing
Auditing Rolling Updates
User management
Security DoS
Backups DBA
OS Monitoring
Patches
7. Facets of complexity: Product
§ More functionality
§ Time to market pressure
§ Complex integration
§ Higher stake in quality
8. Facets of complexity: Development
§ Sound architecture: future proofing without overdoing
§ Unit and integration tests
§ Responding to changing business needs
§ Confusing technology landscape
9. Facets of complexity: Deployment and
operation
§ Choosing the right hardware, operating system, web server
§ Monitoring applications
§ Responding to scalability needs
§ Dealing with hardware- and system-level failures
§ Upgrading without substantial down time
15. Inherent vs. Apparent Complexity
What can we do
about this?
Implementation overhead
Apparent
Implementation complexity
Functional logic Inherent
complexity
17. Three layers of Cloud Computing
SaaS
Software as a Service
PaaS
Platform as a Service
IaaS
Infrastructure as a Service
18. Cloud Foundry open PaaS - Choice of clouds
Data
Services Private
Clouds
Msg
Services
Public
Clouds
Other Micro
Services
Clouds
19. Cloud Foundry open PaaS - Choice of clouds
Data
Services Private
Clouds
Msg
Services
Public
Clouds
Other Micro
Services
Clouds
Apache2 license
20. Cloud Foundry open PaaS - Choice of clouds
Data
Services Private
Clouds
Partners
Msg
Services
Public
Clouds
Other Micro
Services
Clouds
Apache2 license
28. Design Principles
• Dynamically discoverable components
• No inter-component dependencies
– Launch in any order
– Scale up and down independently
• Monitor using HTTP end points
29.
30. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
Services
(DEA) Pool
Messaging
31. Cloud Controller
• Interface with the clients
– VMC
– STS
– Portal
• Provides REST interface to domain objects
– Apps
– Services
– Orgs
– Spaces
34. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
Services
(DEA) Pool
Messaging
35. Stager
• Responsible for morphing user app into executable
• Pluggable architecture
– Each plugin understands a framework or a runtime
• Allow the DEA to view applications uniformly
36. Stager’s role
……………
……………
……………
Stager ……………
……………
…………… ……………
…………… ……………
…………… ……………
………….. ::::::::::
Spring Play Rails …
46. From bits to running app
A startup
g
e app.war
n
t
stop
47. From bits to running app
A startup
g
e app.war
n
t
stop
48. Droplet Execution Agent (DEA)
• Responsible for running all apps
• Monitors apps
– Memory and disk quota
– Stage changes
• Uniform view of all apps
– Runtime/framework differences sorted by the stager
• Ensures app isolation
49. Application Isolation
DEA Container API
Host network
Private network
App
Private File System
Warden container
50.
51. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
Services
(DEA) Pool
Messaging
52. Router
• Responsible to route requests to
– User apps
– External-facing components
• Cloud Controller
• UAA
60. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
Execution Agents
Services
(DEA) Pool
Messaging
61. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
Services
(DEA) Pool
Messaging
62. Health Manager
§ Expected state:
• Cloud Controller
§ Current state:
• DEAs
§ Current state ç Expected state
63.
64. UAA
• Centralized Identity Management
– Authenticates users from multiple sources
– Presents a single standard protocol for consumers
• User Account Management
• Client Application Registration
• OpenID Connect and Oauth2 – delegated authorization
– Uses Spring Security
65. Oauth2 for Cloud Foundry
CF Portal
Client
Cloud controller
User
Resource server
Resource owner
UAA
Identity provider
66. Oauth2 for Cloud Foundry
Who is this user
What is he/she requesting
Do I have the necessary authorization
Accesses the portal CF Portal
Client
Cloud controller
User
Resource server
Resource owner
UAA
Identity provider
67. Oauth2 for Cloud Foundry
Who is this user
What is he/she requesting
Do I have the necessary authorization
Accesses the portal CF Portal
Client
Authenticate me
Assert - Portal can only
Cloud controller
User read my apps
Authenticates user Resource server
Resource owner Issues authorization code
UAA
Identity provider
68. Oauth2 for Cloud Foundry
Who is this user
What is he/she requesting
Do I have the necessary authorization
Accesses the portal CF Portal
Client
Redirect user along
with the authcode
Authenticate me
Assert - Portal can only
Cloud controller
User read my apps
Authenticates user Resource server
Resource owner Issues authorization code
UAA
Identity provider
69. Oauth2 for Cloud Foundry
Who is this user
What is he/she requesting
Do I have the necessary authorization
Accesses the portal CF Portal
Client
Redirect user along
with the authcode Exchange authcode
for an access token
Authenticate me
Assert - Portal can only
Cloud controller
User read my apps
Authenticates user Resource server
Resource owner Issues authorization code
Issue access token scoped
to cloud_controller.apps.read
UAA
Identity provider
70. Oauth2 for Cloud Foundry
Who is this user
What is he/she requesting
Do I have the necessary authorization
Present token containing
Accesses the portal CF Portal cloud_controller.apps.read
Client
Redirect user along
with the authcode Exchange authcode
for an access token
Authenticate me
Assert - Portal can only
Cloud controller
User read my apps
Authenticates user Resource server
Resource owner Issues authorization code
Issue access token scoped
to cloud_controller.apps.read
UAA
Identity provider
71.
72. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
(DEA) Pool
Messaging
73. Cloud Foundry Inner Shell and Up
Developers Users
Routers
CloudControllers Stagers App App
HealthManager
Execution Agents
Services
(DEA) Pool
Messaging
74. Service Provisioning
• Service Gateway
– Provisions and unprovisions services
– Advertise service availability to CloudController
• Service Nodes
– Runs actual services
– Scale independently
78. What is BOSH? github.com/cloudfoundry/bosh
Service Evolution Technology for
Operating Cloud Foundry in Production Environments
Automated Virtual Infrastructure
• At Cloud Scale
• Abstracted using a Cloud Provider Interface (CPI)
Software Deployment, Configuration and Updates
• Optimized to Minimize Downtime
• Support for multiple VM roles
Repeatable Process
• Release Management with Versioning
Active Monitoring and Alerting
BOSH has been used to run CloudFoundry.com since launch
81. Cloud Foundry “BOSH” – Concepts
Stemcell Release
• Base OS • Name
• “BOSH” Agent
Jobs
• Software Packages
• Configuration Templates
• Scripts
"BOSH" Software Packages
• Externally developed s/w
• Internally developed s/w
82. Cloud Foundry “BOSH” – Concepts
Deployment Manifest Stemcell Release
• Release name and version • Base OS • Name
• # VMs, params for each Job • “BOSH” Agent
• Stemcells to use Jobs
• Software Packages
• Configuration Templates
• Scripts
"BOSH" Software Packages
• Externally developed s/w
• Internally developed s/w
83. Cloud Foundry “BOSH” – Concepts
Deployment Manifest Stemcell Release
• Release name and version • Base OS • Name
• # VMs, params for each Job • “BOSH” Agent
• Stemcells to use Jobs
• Software Packages
• Configuration Templates
• Scripts
"BOSH" Software Packages
• Externally developed s/w
• Internally developed s/w
84. Cloud Foundry “BOSH” – Concepts
Deployment Manifest Stemcell Release
• Release name and version • Base OS • Name
• # VMs, params for each Job • “BOSH” Agent
• Stemcells to use Jobs
• Software Packages
• Configuration Templates
• Scripts
"BOSH" Software Packages
• Externally developed s/w
• Internally developed s/w
Environment
Configuration
Software Packages
Stemcell
85. Rolling Update of a Stateless Component
Incoming HTTP Incoming HTTP Incoming HTTP
Requests Requests Requests
Router Router Router
Create Create
Cloud Cloud Cloud Cloud Cloud
Controller Controller Controller Controller Controller
v1 v1 v2 v1 v2
Message Bus Message Bus Message Bus
Starting with v1 Deploy a v2 VM If it works, add more v2
VMs (canary) VMs...
86. Example: Rolling Update of a Stateless
Component
Incoming HTTP Incoming HTTP
Requests Router / LB Requests LB
Router /
End Result:
We upgraded from v1
Destroy Create
to v2 with no
downtime by
Cloud Cloud Cloud building new VMs and
Controller Controller Controller
v1 v2 v2
destroying old ones
Message Bus Message Bus
… while removing v1 … until all VMs are
VMs… v2