Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Open shift technical overview presentation

4,438 views

Published on

Overview
OpenShift v3 is a layered system designed to expose underlying Docker-formatted container image and Kubernetes concepts as accurately as possible, with a focus on easy composition of applications by a developer. For example, install Ruby, push code, and add MySQL.

Unlike OpenShift v2, more flexibility of configuration is exposed after creation in all aspects of the model. The concept of an application as a separate object is removed in favor of more flexible composition of "services", allowing two web containers to reuse a database or expose a database directly to the edge of the network.

What Are the Layers?
The Docker service provides the abstraction for packaging and creating Linux-based, lightweight container images. Kubernetes provides the cluster management and orchestrates containers on multiple hosts.

OpenShift Container Platform adds:

Source code management, builds, and deployments for developers

Managing and promoting images at scale as they flow through your system

Application management at scale

Team and user tracking for organizing a large developer organization

Networking infrastructure that supports the cluster

https://docs.openshift.com/container-platform/3.5/architecture/index.html

Published in: Technology
  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • ✱✱✱ https://dwz1.cc/DU3z4dss
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I JUST completed the dressing table that my wife always wanted. To be honest it took 8 days instead of 3 but keep in mind that I'm not a great carpenter. i could honestly kiss you right now. ➢➢➢ https://t.cn/A62Ye5eM
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi there! I just wanted to share a list of sites that helped me a lot during my studies: .................................................................................................................................... www.EssayWrite.best - Write an essay .................................................................................................................................... www.LitReview.xyz - Summary of books .................................................................................................................................... www.Coursework.best - Online coursework .................................................................................................................................... www.Dissertations.me - proquest dissertations .................................................................................................................................... www.ReMovie.club - Movies reviews .................................................................................................................................... www.WebSlides.vip - Best powerpoint presentations .................................................................................................................................... www.WritePaper.info - Write a research paper .................................................................................................................................... www.EddyHelp.com - Homework help online .................................................................................................................................... www.MyResumeHelp.net - Professional resume writing service .................................................................................................................................. www.HelpWriting.net - Help with writing any papers ......................................................................................................................................... Save so as not to lose
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great Technical Insights on Openshift Architecture
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Open shift technical overview presentation

  1. 1. OPENSHIFT TECHNICAL OVERVIEW1 ● Linux Containers ● OpenShift Concepts Overview ● OpenShift Architecture ● OpenShift Installation Architecture ● Technical Deep Dive ○ Monitoring Application Health ○ Networking ○ Logging & Metrics ○ Security ○ Persistent Storage ○ Service Broker ○ Operator Framework ○ Reference Architectures ○ Build & Deploy Container Images ○ Continuous Integration (CI) & Continuous Delivery (CD) ○ Developer Workflow ○ Application Services ● OpenShift 4 TOPIC INDEX
  2. 2. OPENSHIFT CONTAINER PLATFORM TECHNICAL OVERVIEW Presenter <Don’t overwrite this in the original> Presenter’s title Date
  3. 3. OPENSHIFT TECHNICAL OVERVIEW3 Self-Service Multi-language Automation Collaboration Multi-tenant Standards-based Web-scale Open Source Enterprise Grade Secure
  4. 4. OPENSHIFT TECHNICAL OVERVIEW4 ANY CONTAINER Amazon Web Services Microsoft Azure Google CloudOpenStackDatacenterLaptop ANY INFRASTRUCTURE APPLICATION LIFECYCLE MANAGEMENT ENTERPRISE CONTAINER HOST CONTAINER ORCHESTRATION AND MANAGEMENT (KUBERNETES) OPENSHIFT CONTAINER PLATFORM
  5. 5. OPENSHIFT TECHNICAL OVERVIEW5 OPENSHIFT CONTAINER PLATFORM Automated Operations* Kubernetes Red Hat Enterprise Linux or Red Hat CoreOS Application Services CaaS PaaSBest IT Ops Experience Best Developer Experience *coming soon Cluster Services Developer Services Middleware, Service Mesh, Functions, ISV Metrics, Chargeback, Registry, Logging Dev Tools, Automated Builds, CI/CD, IDE
  6. 6. OPENSHIFT TECHNICAL OVERVIEW6 OPENSHIFT ARCHITECTURE EXISTING AUTOMATION TOOLSETS SCM (GIT) CI/CD SERVICE LAYER ROUTING LAYER PERSISTENT STORAGE REGISTRY RHEL NODE c RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE C C C C C C C CC C RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  7. 7. LINUX CONTAINERS
  8. 8. OPENSHIFT TECHNICAL OVERVIEW8 WHAT ARE CONTAINERS? It Depends Who You Ask ● Application processes on a shared kernel ● Simpler, lighter, and denser than VMs ● Portable across different environments ● Package apps with all dependencies ● Deploy to any environment in seconds ● Easily accessed and shared INFRASTRUCTURE APPLICATIONS
  9. 9. OPENSHIFT TECHNICAL OVERVIEW9 VIRTUAL MACHINES AND CONTAINERS VIRTUAL MACHINES CONTAINERS VM isolates the hardware Container isolates the process VM OS Dependencies Kernel Hypervisor Hardware App App App App Container Host (Kernel) Container App OS deps Container App OS deps Container App OS deps Container App OS deps Hypervisor Hardware
  10. 10. OPENSHIFT TECHNICAL OVERVIEW10 Virtual Machine Application OS dependencies Operating System VIRTUAL MACHINES AND CONTAINERS VM Isolation Complete OS Static Compute Static Memory High Resource Usage Container Isolation Shared Kernel Burstable Compute Burstable Memory Low Resource Usage Container Host Container Application OS dependencies
  11. 11. OPENSHIFT TECHNICAL OVERVIEW11 VIRTUAL MACHINES AND CONTAINERS Container Host Container Application OS dependencies Dev IT Ops Infrastructure Virtual Machine Application OS dependencies Operating System IT Ops (and Dev, sort of) Infrastructure Clear ownership boundary between Dev and IT Ops drives DevOps adoption and fosters agility Optimized for stability Optimized for agility
  12. 12. OPENSHIFT TECHNICAL OVERVIEW12 Virtual machines are NOT portable across hypervisor and do NOT provide portable packaging for applications APPLICATION PORTABILITY WITH VM VM Type X Application OS dependencies Operating System BARE METAL PRIVATE CLOUD PUBLIC CLOUD VIRTUALIZATIO NLAPTOP Application OS dependencies Operating System VM Type Y Application OS dependencies Operating System VM Type Z Application OS dependencies Operating System Guest VM Application OS dependencies Operating System
  13. 13. OPENSHIFT TECHNICAL OVERVIEW13 APPLICATION PORTABILITY WITH CONTAINERS LAPTOP Container Application OS dependencies Guest VM RHEL BARE METAL Container Application OS dependencies RHEL VIRTUALIZATIO N Container Application OS dependencies Virtual Machine RHEL PRIVATE CLOUD Container Application OS dependencies Virtual Machine RHEL PUBLIC CLOUD Container Application OS dependencies Virtual Machine RHEL RHEL Containers + RHEL Host = Guaranteed Portability Across Any Infrastructure
  14. 14. OPENSHIFT TECHNICAL OVERVIEW14 LINUX AND CONTAINER INFRASTRUCTURE CONTAINERS ARE LINUX Red Hat Enterprise Linux is a leader in paid Linux 70% CY2016 paid Linux share CONTAINER CONTAINER CONTAINER LINUX CONTAINER HOST (KERNEL) LINUX O/S DEPENDENCY LINUX O/S DEPENDENCY LINUX O/S DEPENDENCY APP APP APP Linux OS host spans every container 1 2 Linux is in every single container
  15. 15. OPENSHIFT TECHNICAL OVERVIEW15 Base Image Image Layer 1 Image Layer 2 Image Layer 3 Base RHEL OS Update Layer Java Runtime Layer Application Layer Container Image Layers Example Container Image RAPID SECURITY PATCHING USING CONTAINER IMAGE LAYERING
  16. 16. OPENSHIFT TECHNICAL OVERVIEW A lightweight, OCI-compliant container runtime 16 Minimal and Secure Architecture Optimized for Kubernetes Runs any OCI- compliant image (including docker) Optional runtime in OCP 3.10, default OCP 3.11+
  17. 17. OPENSHIFT CONCEPTS OVERVIEW
  18. 18. OPENSHIFT TECHNICAL OVERVIEW18 A container is the smallest compute unit CONTAINER
  19. 19. OPENSHIFT TECHNICAL OVERVIEW19 containers are created from container images CONTAINER CONTAINER IMAGE BINARY RUNTIME
  20. 20. OPENSHIFT TECHNICAL OVERVIEW20 IMAGE REGISTRY container images are stored in an image registry CONTAINER CONTAINER IMAGE CONTAINER IMAGE CONTAINER IMAGE CONTAINER IMAGE CONTAINER IMAGE CONTAINER IMAGE
  21. 21. OPENSHIFT TECHNICAL OVERVIEW21 an image repository contains all versions of an image in the image registry IMAGE REGISTRY frontend:latest frontend:2.0 frontend:1.1 frontend:1.0 CONTAINER IMAGE mongo:latest mongo:3.7 mongo:3.6 mongo:3.4 CONTAINER IMAGE myregistry/frontend myregistry/mongo
  22. 22. OPENSHIFT TECHNICAL OVERVIEW22 PODPOD containers are wrapped in pods which are units of deployment and management CONTAINER CONTAINERCONTAINER IP: 10.1.0.11 IP: 10.1.0.55
  23. 23. OPENSHIFT TECHNICAL OVERVIEW23 pods configuration is defined in a deployment image name replicas labels cpu memory storage POD CONTAINER POD CONTAINER POD CONTAINER DEPLOYMENT
  24. 24. OPENSHIFT TECHNICAL OVERVIEW24 services provide internal load-balancing and service discovery across pods POD CONTAINER POD CONTAINER POD CONTAINER BACKEND SERVICE POD CONTAINER role: backend role: backendrole: backendrole: backendrole: frontend 10.110.1.11 10.120.2.22 10.130.3.3310.140.4.44 172.30.170.110
  25. 25. OPENSHIFT TECHNICAL OVERVIEW25 apps can talk to each other via services Invoke Backend API POD CONTAINER POD CONTAINER POD CONTAINER BACKEND SERVICE POD CONTAINER role: backend role: backendrole: backendrole: backendrole: frontend 10.110.1.11 10.120.2.22 10.130.3.3310.140.4.44 172.30.170.110
  26. 26. OPENSHIFT TECHNICAL OVERVIEW26 POD routes add services to the external load-balancer and provide readable urls for the app CONTAINER POD CONTAINER POD CONTAINER BACKEND SERVICE ROUTE app-prod.mycompany.com > curl http://app-prod.mycompany.com
  27. 27. OPENSHIFT TECHNICAL OVERVIEW27 projects isolate apps across environments, teams, groups and departments POD C POD C POD C PAYMENT DEV POD C POD C POD C PAYMENT PROD POD C POD C POD C CATALOG POD C POD C POD C INVENTORY ❌ ❌❌
  28. 28. OPENSHIFT ARCHITECTURE
  29. 29. OPENSHIFT TECHNICAL OVERVIEW29 YOUR CHOICE OF INFRASTRUCTURE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  30. 30. OPENSHIFT TECHNICAL OVERVIEW NODES RHEL INSTANCES WHERE APPS RUN 30 RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  31. 31. OPENSHIFT TECHNICAL OVERVIEW RHEL NODE c RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE C C C C C C C CC C APPS RUN IN CONTAINERS 31 Container Image Container Pod
  32. 32. OPENSHIFT TECHNICAL OVERVIEW32 PODS ARE THE UNIT OF ORCHESTRATION RHEL NODE c RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE C C C C C C C CC C
  33. 33. OPENSHIFT TECHNICAL OVERVIEW RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE 33 MASTERS ARE THE CONTROL PLANE RED HAT ENTERPRISE LINUX MASTER PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  34. 34. OPENSHIFT TECHNICAL OVERVIEW RHEL NODE RHEL NODE RHEL NODE 34 API AND AUTHENTICATION RHEL NODE RHEL NODE RHEL NODE RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  35. 35. OPENSHIFT TECHNICAL OVERVIEW RHEL NODE RHEL NODE RHEL NODE 35 DESIRED AND CURRENT STATE RHEL NODE RHEL NODE RHEL NODE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  36. 36. OPENSHIFT TECHNICAL OVERVIEW36 INTEGRATED CONTAINER REGISTRY RHEL NODE RHEL NODE RHEL RHEL NODE RHEL NODE RHEL RHEL NODE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE NODE REGISTRY RHEL
  37. 37. OPENSHIFT TECHNICAL OVERVIEW37 ORCHESTRATION AND SCHEDULING RHEL NODE RHEL NODE RHEL RHEL NODE RHEL NODE RHEL RHEL NODE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER NODE REGISTRY RHEL
  38. 38. OPENSHIFT TECHNICAL OVERVIEW38 PLACEMENT BY POLICY RHEL NODE RHEL NODE RHEL NODE PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER REGISTRY RHEL NODE RHEL NODE C C RHEL NODE c C C
  39. 39. OPENSHIFT TECHNICAL OVERVIEW RHEL NODE RHEL NODE RHEL NODE RHEL NODE RHEL NODE C C RHEL NODE c C C 39 AUTOSCALING PODS PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER REGISTRY HEALTH/SCALING
  40. 40. OPENSHIFT TECHNICAL OVERVIEW40 SERVICE DISCOVERY SERVICE LAYER REGISTRY RHEL NODE C C RHEL NODE C C RHEL NODE c C C RHEL NODE C C RHEL NODE C RHEL NODE CRED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  41. 41. OPENSHIFT TECHNICAL OVERVIEW41 PERSISTENT DATA IN CONTAINERS SERVICE LAYER PERSISTENT STORAGE REGISTRY RHEL NODE C C RHEL NODE C C RHEL NODE c C C RHEL NODE C C RHEL NODE C RHEL NODE CRED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  42. 42. OPENSHIFT TECHNICAL OVERVIEW42 ROUTING AND LOAD-BALANCING SERVICE LAYER ROUTING LAYER PERSISTENT STORAGE REGISTRY RHEL NODE C C RHEL NODE C C RHEL NODE c C C RHEL NODE C C RHEL NODE C RHEL NODE CRED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  43. 43. OPENSHIFT TECHNICAL OVERVIEW43 ACCESS VIA WEB, CLI, IDE AND API EXISTING AUTOMATION TOOLSETS SCM (GIT) CI/CD SERVICE LAYER ROUTING LAYER PERSISTENT STORAGE REGISTRY RHEL NODE C C RHEL NODE C C RHEL NODE c C C RHEL NODE C C RHEL NODE C RHEL NODE CRED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
  44. 44. OPENSHIFT INSTALLATION ARCHITECTURES
  45. 45. OPENSHIFT TECHNICAL OVERVIEW45 PROOF-OF-CONCEPT ARCHITECTURE Application Traffic Dev and Ops User INFRAMASTER NODE NODE An infrastructure node is a node that is dedicated to infrastructure pods such as router, image registry, metrics, and logs
  46. 46. OPENSHIFT TECHNICAL OVERVIEW46 APP HIGH-AVAILABILITY ARCHITECTURE ENTERPRISE LOAD-BALANCER Application Traffic Dev and Ops User INFRAMASTER INFRA NODE NODE NODE NODE
  47. 47. OPENSHIFT TECHNICAL OVERVIEW47 FULL HIGH-AVAILABILITY ARCHITECTURE ENTERPRISE LOAD-BALANCER Application TrafficDev and Ops User NODE MASTER MASTER INFRAMASTER INFRA NODE NODE NODE NODENODE INFRA NODE
  48. 48. TECHNICAL DEEP DIVE
  49. 49. MONITORING APPLICATION HEALTH
  50. 50. OPENSHIFT TECHNICAL OVERVIEW50 AUTO-HEALING FAILED PODS RHEL NODE RHEL NODE c RHEL NODE RHEL NODE c RHEL NODE C C RHEL NODE C C RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING C
  51. 51. OPENSHIFT TECHNICAL OVERVIEW51 AUTO-HEALING FAILED CONTAINERS RHEL NODE RHEL NODE c RHEL NODE RHEL NODE c RHEL NODE C C RHEL NODE C C RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING C
  52. 52. OPENSHIFT TECHNICAL OVERVIEW52 AUTO-HEALING FAILED CONTAINERS RHEL NODE RHEL NODE c RHEL NODE RHEL NODE c RHEL NODE C C RHEL NODE C C RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING C
  53. 53. OPENSHIFT TECHNICAL OVERVIEW53 AUTO-HEALING FAILED CONTAINERS RHEL NODE RHEL NODE c RHEL NODE RHEL NODE c RHEL NODE C C RHEL NODE C C RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING C
  54. 54. OPENSHIFT TECHNICAL OVERVIEW54 AUTO-HEALING FAILED CONTAINERS RHEL NODE RHEL NODE RHEL NODE RHEL NODE C C RHEL NODE C C c RED HAT ENTERPRISE LINUX MASTER API/AUTHENTICATION DATA STORE SCHEDULER HEALTH/SCALING C c
  55. 55. NETWORKING
  56. 56. OPENSHIFT TECHNICAL OVERVIEW56 BUILT-IN SERVICE DISCOVERY INTERNAL LOAD-BALANCING SERVICE app=payroll role=frontend POD app=payroll role=frontend POD app=payroll role=frontend Name: payroll-frontend IP: 172.10.1.23 Port: 8080 POD app=payroll role=backendversion=1.0 version=1.0
  57. 57. OPENSHIFT TECHNICAL OVERVIEW57 BUILT-IN SERVICE DISCOVERY INTERNAL LOAD-BALANCING SERVICE app=payroll role=frontend POD app=payroll role=frontend POD app=payroll role=frontend POD app=payroll role=frontend Name: payroll-frontend IP: 172.10.1.23 Port: 8080 POD app=payroll role=backendversion=2.0 version=1.0 version=1.0
  58. 58. OPENSHIFT TECHNICAL OVERVIEW58 SERVICE POD POD ROUTER POD EXTERNAL TRAFFIC INTERNAL TRAFFIC ROUTE EXPOSES SERVICES EXTERNALLY
  59. 59. OPENSHIFT TECHNICAL OVERVIEW59 ● Pluggable routing architecture ○ HAProxy Router ○ F5 Router ● Multiple-routers with traffic sharding ● Router supported protocols ○ HTTP/HTTPS ○ WebSockets ○ TLS with SNI ● Non-standard ports via cloud load-balancers, external IP, and NodePort ROUTING AND EXTERNAL LOAD-BALANCING
  60. 60. OPENSHIFT TECHNICAL OVERVIEW60 ROUTE SPLIT TRAFFIC SERVICE A App A App A SERVICE B App B App B ROUTE 10% traffic90% traffic Split Traffic Between Multiple Services For A/B Testing, Blue/Green and Canary Deployments
  61. 61. OPENSHIFT TECHNICAL OVERVIEW ● NodePort binds a service to a unique port on all the nodes ● Traffic received on any node redirects to a node with the running service ● Ports in 30K-60K range which usually differs from the service ● Firewall rules must allow traffic to all nodes on the specific port 61 EXTERNAL TRAFFIC TO A SERVICE ON A RANDOM PORT WITH NODEPORT NODE 192.10.0.12 NODE 192.10.0.11 NODE 192.10.0.10 SERVICE INT IP: 172.1.0.20:90 POD 10.1.0.1:90 POD 10.1.0.2:90 POD 10.1.0.3:90 connect 192.10.0.10:31421 192.10.0.11:31421 192.10.0.12:31421 CLIENT
  62. 62. OPENSHIFT TECHNICAL OVERVIEW NODE 192.10.0.12 NODE 192.10.0.11 NODE 192.10.0.10 62 EXTERNAL TRAFFIC TO A SERVICE ON ANY PORT WITH INGRESS SERVICE EXT IP: 200.1.0.10:90 INT IP: 172.1.0.20:90 POD 10.1.0.1:90 POD 10.1.0.2:90 POD 10.1.0.3:90 connect 200.1.0.10:90 CLIENT ● Access a service with an external IP on any TCP/UDP port, such as ○ Databases ○ Message Brokers ● Automatic IP allocation from a predefined pool using Ingress IP Self-Service ● IP failover pods provide high availability for the IP pool
  63. 63. OPENSHIFT TECHNICAL OVERVIEW63 NODE 1 IP 1 CONTROLLING EGRESS TRAFFIC Default Kubernetes Behaviour NODE 2 IP 2 PROJECT B PROJECT A EXTERNAL SERVICE Whitelist: IP1 POD POD POD ✓
  64. 64. OPENSHIFT TECHNICAL OVERVIEW64 NODE 2 IP 2 PROJECT A NODE 1 IP 1 CONTROLLING EGRESS TRAFFIC EXTERNAL SERVICE Whitelist: IP 3 Egress Router PROJECT B POD POD POD ✓ EGRESS ROUTER IP 3 EGRESS SERVICE INT-IP * * Blocked by multi-tenant network plugin ** Blocked by external service **
  65. 65. OPENSHIFT TECHNICAL OVERVIEW65 NODE 2 IP 2 PROJECT A NODE 1 IP 1 CONTROLLING EGRESS TRAFFIC EXTERNAL SERVICE Whitelist: IP 3 Egress Router PROJECT B POD POD POD ✓ EGRESS ROUTER IP1 EGRESS SERVICE INT-IP * * Blocked by multi-tenant network plugin ** Blocked by external service ** PROJECT A EGRESS ROUTER IP 3 Failover to standby egress router
  66. 66. OPENSHIFT TECHNICAL OVERVIEW66 NODE 3 IP 3 CONTROLLING EGRESS TRAFFIC Egress IP High Availability (multiple IPs) NODE 2 IP 2 NODE 1 IP 1 EXTERNAL SERVICE Whitelist: IP 4, IP 5 PROJECT B POD PROJECT A Egress IP: IP 4 (Node 2) IP 5 (Node 3) POD POD IP 1 EGRESS HANDLER IP4 POD EGRESS HANDLER IP5 IP 4 ✓ ✓ ✓
  67. 67. OPENSHIFT TECHNICAL OVERVIEW67 NODE 3 IP 3 CONTROLLING EGRESS TRAFFIC Egress IP High Availability (multiple IPs) NODE 2 IP 2 NODE 1 IP 1 EXTERNAL SERVICE Whitelist: IP 4, IP 5 PROJECT B POD PROJECT A Egress IP: IP 4 (Node 2) IP 5 (Node 3) POD POD IP 1 EGRESS HANDLER IP4 POD EGRESS HANDLER IP5 IP 5 ✓✓ ✓ IP 4 failed!
  68. 68. OPENSHIFT TECHNICAL OVERVIEW68 NODE 1 IP 1 PROJECT B NODE 3 IP 3 CONTROLLING EGRESS TRAFFIC Egress IP High Availability (single IP)* NODE 2 IP 2 EXTERNAL SERVICE Whitelist: IP 4 POD PROJECT A Egress IP: IP 4 (Node 2) IP 5 (Node 3) POD POD IP 1 POD EGRESS HANDLER IP 4 ✓✓ ✓ * coming soonEGRESS HANDLER IP 4 failed!
  69. 69. OPENSHIFT TECHNICAL OVERVIEW69 ● Built-in internal DNS to reach services by name ● Split DNS is supported via SkyDNS ○ Master answers DNS queries for internal services ○ Other name servers serve the rest of the queries ● Software Defined Networking (SDN) for a unified cluster network to enable pod-to-pod communication ● OpenShift follows the Kubernetes Container Networking Interface (CNI) plug-in model OPENSHIFT NETWORKING
  70. 70. OPENSHIFT TECHNICAL OVERVIEW70 OPENSHIFT NETWORK PLUGINS OpenShift SDN (OVS) OPENSHIFT KUBERNETES CNI Flannel** Nuage Tigera Calico & CNX Juniper Contrail Cisco Contiv & Contiv-ACI Big Switch Fully Supported Validated VMware NSX-T In-Progress DEFAUL T kuryr- kubernetes OpenShift SDN (OVN*) * Coming as default in OCP 4.1 ** Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture Open Daylight (CNI & Kuryr) RH-OSP Neutron Plugin
  71. 71. OPENSHIFT TECHNICAL OVERVIEW NODE 172.16.1.10 71 OPENSHIFT NETWORKING POD 10.1.2.2 POD 10.1.2.4 NODE 172.16.1.20 POD 10.1.4.2 POD 10.1.4.4 IP Network VxLAN Overlay Network
  72. 72. OPENSHIFT TECHNICAL OVERVIEW FLAT NETWORK (Default) ● All pods can communicate with each other across projects MULTI-TENANT NETWORK ● Project-level network isolation ● Multicast support ● Egress network policies NETWORK POLICY ● Granular policy-based isolation 72 OPENSHIFT SDN NODE POD POD PODPOD NODE POD POD PODPOD PROJECT A PROJECT B DEFAULT NAMESPACE ✓ PROJECT C Multi-Tenant Network
  73. 73. OPENSHIFT TECHNICAL OVERVIEW PROJECT A 73 OPENSHIFT SDN - NETWORK POLICY POD POD POD POD PROJECT B POD POD POD POD Example Policies ● Allow all traffic inside the project ● Allow traffic from green to gray ● Allow traffic to purple on 8080 ✓ ✓ 8080 5432 ✓ apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: allow-to-purple-on-8080 spec: podSelector: matchLabels: color: purple ingress: - ports: - protocol: tcp port: 8080 ✓
  74. 74. OPENSHIFT TECHNICAL OVERVIEW Container to Container on the Same Host 74 OPENSHIFT SDN - OVS PACKET FLOW NODE POD 1 veth0 10.1.15.2/24 br0 10.1.15.1/24 192.168.0.100 eth0 POD 2 veth1 10.1.15.3/24 vxlan0
  75. 75. OPENSHIFT TECHNICAL OVERVIEW NODE 2 NODE 1 75 OPENSHIFT SDN - OVS PACKET FLOW POD 1 veth0 10.1.15.2/24 br0 10.1.15.1/24 vxlan0 POD 2 veth0 10.1.20.2/24 br0 10.1.20.1/24 vxlan0 192.168.0.100 eth0 192.168.0.200 eth0 Container to Container on the Different Hosts
  76. 76. OPENSHIFT TECHNICAL OVERVIEW Container Connects to External Host Container to Container on Different Hosts 76 OPENSHIFT SDN - OVS PACKET FLOW NODE 1 POD 1 veth0 10.1.15.2/24 br0 10.1.15.1/24 tun0 192.168.0.100 External Host eth0
  77. 77. OPENSHIFT TECHNICAL OVERVIEW77 OPENSHIFT SDN WITH FLANNEL FOR OPENSTACK NODE 1 POD 1 veth0 10.1.15.2/24 docker0 10.1.15.1/24 Routing Table flanneld NODE 2 POD 2 veth0 10.1.20.2/24 docker0 10.1.20.1/24 Routing Table flanneld etcd 192.168.0.100 eth0 192.168.0.200 eth0 Flannel is minimally verified and is supported only and exactly as deployed in the OpenShift on OpenStack reference architecture https://access.redhat.com/articles/2743631
  78. 78. LOGGING & METRICS
  79. 79. OPENSHIFT TECHNICAL OVERVIEW79 ● EFK stack to aggregate logs for hosts and applications ○ Elasticsearch: a search and analytics engine to store logs ○ Fluentd: gathers logs and sends to Elasticsearch. ○ Kibana: A web UI for Elasticsearch. ● Access control ○ Cluster administrators can view all logs ○ Users can only view logs for their projects ● Ability to send logs elsewhere ○ External elasticsearch, Splunk, etc CENTRAL LOG MANAGEMENT WITH EFK
  80. 80. OPENSHIFT TECHNICAL OVERVIEW CENTRAL LOG MANAGEMENT WITH EFK APPLICATION LOGS OPERATION LOGS ELASTIC ELASTIC 80 RHEL NODE POD POD PODPOD FLUENTD RHEL NODE POD POD PODPOD FLUENTD ELASTICSEARCH RHEL NODE POD POD PODPOD FLUENTD USER ELASTIC ELASTIC KIBANA ELASTIC ELASTIC ELASTICSEARCH ELASTIC ELASTIC KIBANA ADMIN
  81. 81. OPENSHIFT TECHNICAL OVERVIEW81 CONTAINER METRICS
  82. 82. OPENSHIFT TECHNICAL OVERVIEW CONTAINER METRICS 82 RHEL NODE POD POD PODPOD FLUENTD CONTAINER METRICS RHEL NODE POD POD PODPOD FLUENTD HEAPSTER RHEL NODE POD POD PODPOD CADVISOR HAWKULAR OPENSHIFT WEB CONSOLE ELASTIC ELASTIC CASSANDRA RED HAT CLOUDFORMS CUSTOM DASHBOARDS API USER
  83. 83. SECURITY
  84. 84. OPENSHIFT TECHNICAL OVERVIEW84 AUTOMATED & INTEGRATED SECURITY Container Content Container Registry CI/CD Pipeline Deployment Policies Security Ecosystem CONTROL Application Security DEFEND Infrastructure EXTEND Container Host Multi-tenancyContainer Platform Network Isolation Storage Audit & Logging API Management
  85. 85. OPENSHIFT TECHNICAL OVERVIEW NODE MASTER ● Secure mechanism for holding sensitive data e.g. ○ Passwords and credentials ○ SSH Keys ○ Certificates ● Secrets are made available as ○ Environment variables ○ Volume mounts ○ Interaction with external systems ● Encrypted in transit and at rest ● Never rest on the nodes 85 SECRET MANAGEMENT Container Distributed Store Container
  86. 86. OPENSHIFT TECHNICAL OVERVIEW86 Check Expiry Redeploy Certs CERTIFICATE MANAGEMENT ● Certificates are used to provide secure connections to ○ master and nodes ○ router and registry ○ etcd ● Ansible playbooks to automate redeployment ● Redeploy all at once or specific components ● Certificate expiry report generator MASTER NODES ROUTER REGISTRY ETCD ✓ ✓ ✓ ✓ ✓ Ansible Playbook
  87. 87. OPENSHIFT TECHNICAL OVERVIEW87 CERTIFICATE CHECKS ● master and nodes ● router and registry service certificates from etcd secrets ● master, node, router, registry, and kubeconfig files for cluster-admin users ● etcd certificates CERTIFICATE EXPIRY REPORT
  88. 88. PERSISTENT STORAGE
  89. 89. OPENSHIFT TECHNICAL OVERVIEW89 ● Persistent Volume (PV) is tied to a piece of network storage ● Provisioned by an administrator (static or dynamically) ● Allows admins to describe storage and users to request storage ● Assigned to pods based on the requested size, access mode, labels and type PERSISTENT STORAGE NFS GlusterFS OpenStack Cinder Ceph RBD AWS EBS GCE Persistent Disk iSCSI Fiber Channel Azure Disk Azure File FlexVolume VMWare vSphere VMDK Container Storage Interface (CSI)** * Shipped and supported by NetApp via TSANet ** Tech Preview NetApp Trident*
  90. 90. OPENSHIFT TECHNICAL OVERVIEW PROJECT POOL OF PERSISTENT VOLUMES 90 PERSISTENT STORAGE NFS PV iSCSI PV NFS PV Admin User register PV create claim NFS PV GlusterFS PV Pod claim Pod claim Pod claim Ceph RBD PV
  91. 91. OPENSHIFT TECHNICAL OVERVIEW91 DYNAMIC VOLUME PROVISIONING Admin User define StorageClass create claim: Fastest Slow Azure-Disk Fast AWS-SSD Fastest NetApp-Flash NetApp Provisioner AWS Provisioner Pod claim PV OpenShift PV Controller provision Azure Provisioner bound
  92. 92. OPENSHIFT TECHNICAL OVERVIEW92 ● Containerized Red Hat Gluster Storage ● Native integration with OpenShift ● Unified Orchestration using Kubernetes for applications and storage ● Greater control & ease of use for developers ● Lower TCO through convergence ● Single vendor Support DISTRIBUTED, SECURE, SCALE-OUT STORAGE CLUSTER APPLICATION CONTAINER APPLICATION CONTAINER APPLICATION CONTAINER STORAGE CONTAINER STORAGE CONTAINER STORAGE CONTAINER OPENSHIFT CONTAINER STORAGE
  93. 93. OPENSHIFT TECHNICAL OVERVIEW NODENODENODE OPENSHIFT CONTAINER STORAGE 93 NODE POD POD POD POD POD POD POD POD POD POD RHGS RHGS RHGS POD POD POD MASTER
  94. 94. SERVICE BROKER
  95. 95. OPENSHIFT TECHNICAL OVERVIEW95 WHY A SERVICE BROKER? SERVICE CONSUMER SERVICE PROVIDER ☑ Open ticket ☑ Wait for allocation ☑ Receive credentials ☑ Add to app ☑ Deploy app Manual, Time-consuming and Inconsistent
  96. 96. OPENSHIFT TECHNICAL OVERVIEW96 A multi-vendor project to standardize how services are consumed on cloud- native platforms across service providers
  97. 97. OPENSHIFT TECHNICAL OVERVIEW97 WHAT IS A SERVICE BROKER? SERVICE CONSUMER SERVICE PROVIDER SERVICE CATALOG SERVICE BROKER Automated, Standard and Consistent
  98. 98. OPENSHIFT TECHNICAL OVERVIEW98 OPENSHIFT SERVICE CATALOG OPENSHIFT SERVICE CATALOG OpenShift Automation Broker OpenShift Template Broker AWS Service Broker Other Service Brokers ANSIBLE OPENSHIFT AWS OTHER COMPATIBLE SERVICES Ansible Playbook Bundles OpenShift Templates AWS Services Other Services
  99. 99. OPENSHIFT TECHNICAL OVERVIEW99 SERVICE BROKER CONCEPTS SERVICE CONSUMER SERVICE PROVIDER SERVICE CATALOG SERVICE BROKER SERVICE: an offering that can be used by an app e.g. database PLAN: a specific flavor of a service e.g. Gold Tier SERVICE INSTANCE: an instance of the offering PROVISION: creating a service instance BIND: associate a service instance and its credentials to an app
  100. 100. OPENSHIFT TECHNICAL OVERVIEW ● Deploy service broker on or off OpenShift ● Register the broker referring to the deployed broker ● Register the broker services by creating ServiceClass resources (the service broker might automatically perform this step) 100 HOW TO ADD A SERVICE BROKER apiVersion: servicecatalog.k8s.io/v1alpha1 kind: Broker metadata: name: asb-broker spec: url: https://asb-1338-ansible-service-broker.10.2.2.15.nip.io
  101. 101. OPENSHIFT TECHNICAL OVERVIEW101 ● Exposes Templates and Instant Apps in the Service Catalog ● Pulled from openshift namespace by default ● Multiple namespaces can be configured for template discovery TEMPLATE SERVICE BROKER
  102. 102. OPENSHIFT TECHNICAL OVERVIEW102 TEMPLATE SERVER BROKER PROVISIONING Template Service Broker Node.js Container openshift namespace nodejs-template OpenShift Service Catalog Service Broker creates a the objects from the template
  103. 103. OPENSHIFT TECHNICAL OVERVIEW103 TEMPLATE SERVICE BROKER BINDING Template Service Broker Node.js Container openshift namespace nodejs-template OpenShift Service Catalog create binding Service Broker creates a binding and secret for any credentials (config map, secret, etc) created by the template
  104. 104. OPENSHIFT TECHNICAL OVERVIEW104 OPENSHIFT ANSIBLE BROKER ● Use Ansible on OpenShift ○ Deploy containerized applications ○ Provision external services (e.g. Oracle database) ○ Provision cloud services (e.g. AWS RDS) ○ Orchestrate multi-service solutions ○ Conditional logic for control on deployments (e.g. database is initialized) ● Leverage existing Ansible playbooks ● Anything you can do with Ansible, you can do with OAB
  105. 105. OPENSHIFT TECHNICAL OVERVIEW105 ● Lightweight application definition ● Packaged as a container image ● Embedded Ansible runtime ● Metadata for parameters ● Named playbooks for actions ● Leverage existing Ansible playbooks ● Registry is queried to discover APBs ANSIBLE PLAYBOOK BUNDLES (APB) Ansible Playbook Bundle (Container Image) Ansible Runtime ├─ roles ├─ playbooks │ ├─ provision.yaml │ ├─ unprovision.yaml │ ├─ bind.yaml │ └─ unbind.yaml └─ apb.yaml
  106. 106. OPENSHIFT TECHNICAL OVERVIEW106 OpenShift Ansible Broker Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb Discover and list APBs from the configured image registries OpenShift Service Catalog OPENSHIFT ANSIBLE BROKER PROVISIONING
  107. 107. OPENSHIFT TECHNICAL OVERVIEW107 OpenShift Ansible Broker APB Container (postgresql) oc run postgresql-apb provision $vars Pull APB image and run it with the broker action as a parameter Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb OpenShift Service Catalog OPENSHIFT ANSIBLE BROKER PROVISIONING
  108. 108. OPENSHIFT TECHNICAL OVERVIEW108 Ansible Service Broker APB Container (postgresql) oc run postgresql-apb provision $vars ansible-playbook provision.yaml $vars Postgre SQL Container APB container runs provision.yaml playbook to create a PostgreSQL container Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb OpenShift Service Catalog OpenShift Service Catalog OpenShift Ansible Broker Postgre SQL Container Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb OPENSHIFT ANSIBLE BROKER PROVISIONING
  109. 109. OPENSHIFT TECHNICAL OVERVIEW109 OpenShift Ansible Broker APB Container (postgresql) Postgre SQL Container APB container runs bind.yaml playbook to create database user oc run postgresql-apb bind $vars ansible-playbook bind.yaml $vars Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb MediaWiki Container OpenShift Service Catalog OPENSHIFT ANSIBLE BROKER BINDING
  110. 110. OPENSHIFT TECHNICAL OVERVIEW110 OpenShift Ansible Broker Postgre SQL Container Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb MediaWiki Container OpenShift Service Catalog mount binding secret Service Catalog creates a secret for the binding, containing the database credentials OPENSHIFT ANSIBLE BROKER BINDING
  111. 111. OPENSHIFT TECHNICAL OVERVIEW111 OpenShift Ansible Broker Postgre SQL Container APB container goes away and Service Broker creates a binding for the PostgreSQL service Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb create binding MediaWiki Container OpenShift Service Catalog OPENSHIFT ANSIBLE BROKER BINDING
  112. 112. OPENSHIFT TECHNICAL OVERVIEW112 OpenShift Ansible Broker Postgre SQL Container MediaWiki container uses the credentials in the secret to connect to the PostgreSQL database Red Hat Container Catalog DockerHub OpenShiftRegistry mediawiki-apb postgresql-apb MediaWiki Container OpenShift Service Catalog mount binding secret OPENSHIFT ANSIBLE BROKER BINDING
  113. 113. OPENSHIFT TECHNICAL OVERVIEW113 AWS SERVICE BROKER ● Amazon Athena ● Amazon DynamoDB ● Amazon ElastiCache ● Amazon EMR ● Amazon Kinesis Data Streams ● Amazon KMS ● Amazon Lex ● Amazon Polly ● Amazon RDS for MariaDB ● Amazon RDS for MySQL ● Amazon RDS for PostgreSQL ● Amazon RedShift ● Amazon Rekognition ● Amazon Route 53 ● Amazon S3 ● Amazon SNS ● Amazon SQS ● Amazon Translate
  114. 114. OPENSHIFT TECHNICAL OVERVIEW114 AWS PROVISIONING AWS RDS CompatibleDocker Registries oc run rds-apb provision $vars ansible-playbook provision.yaml $vars APB container runs provision.yaml playbook to interact with CFN and create RDS instance OpenShift Service Catalog APB Container (rds) OpenShift Ansible Broker AWS ECR s3-apb rds-apb AWS Cloud Formation
  115. 115. OPENSHIFT TECHNICAL OVERVIEW115 AZURE SERVICE BROKER Available on OpenShift on Azure managed-service and Azure Stack ● Azure Cosmos DB ● Azure KeyVault ● Azure Storage ● Azure Redis Cache ● Azure DocumentDB ● Azure Service Bus and Event Hub ● Azure SQL Database ● Azure SQL Database Failover Group ● Azure Database for MySQL ● Azure Database for PostgreSQL
  116. 116. OPERATOR FRAMEWORK (coming soon)
  117. 117. OPENSHIFT TECHNICAL OVERVIEW117 KUBERNETES OPERATOR FRAMEWORK Operator Framework is an open source toolkit to manage application instances on Kubernetes in an effective, automated and scalable way. Installation Upgrade Backup Failure recovery Metrics & insights Tuning AUTOMATED LIFECYCLE MANAGEMENT
  118. 118. OPENSHIFT TECHNICAL OVERVIEW118 KUBERNETES OPERATOR FRAMEWORK Operators codify operational knowledge and workflows to automate lifecycle management of containerized applications with Kubernetes SDK LIFECYCLE MANAGEMENT METERING
  119. 119. OPENSHIFT TECHNICAL OVERVIEW119 WHY OPERATOR FRAMEWORK? DEVELOPER DEPLOY STATEFUL APP A WHILE LATER APP SERVICES OPERATIONS UPDATE PATCH BACKUP REBALANCE SCALE DEPLOY STATEFUL APP UPDATE PATCH BACKUP REBALANCE SCALE APP OPERATOR DEVELOPER
  120. 120. OPENSHIFT TECHNICAL OVERVIEW120 OPERATOR LIFECYCLE MANAGER
  121. 121. OPENSHIFT TECHNICAL OVERVIEW121 OPERATOR METERING ● Based on Prometheus ● Reports namespace, pods and custom label query ● Easy to process by accounting or custom software
  122. 122. OPENSHIFT TECHNICAL OVERVIEW122 THE INDUSTRY IS ALIGNING BEHIND THE KUBERNETES OPERATOR FRAMEWORK 60+ Certified ISV Operators in Red Hat Early Access Program
  123. 123. REFERENCE ARCHITECTURES
  124. 124. OPENSHIFT TECHNICAL OVERVIEW Application Release Strategies with OpenShift Building Polyglot Microservices on OpenShift Building JBoss EAP 6 Microservices on OpenShift Building JBoss EAP 7 Microservices on OpenShift Business Process Management with JBoss BPMS on OpenShift Build and Deployment of Java Applications on OpenShift Building Microservices on OpenShift with Fuse Integration... JFrog Artifactory on OpenShift Container Platform Spring Boot Microservices on Red Hat OpenShift API Management with Red Hat 3scale on OpenShift App CI/CD on OCP with Jenkins OpenShift on VMware vCenter OpenShift on Red Hat OpenStack Platform OpenShift on Amazon Web Services OpenShift on Google Cloud Platform OpenShift on Microsoft Azure OpenShift on Red Hat Virtualization OpenShift on HPE Servers with Ansible Tower OpenShift on VMware vCenter 6 with Gluster Deploying an OpenShift Distributed Architecture OpenShift Architecture and Deployment Guide OpenShift Scaling, Performance, and Capacity Planning 124 REFERENCE ARCHITECTURES
  125. 125. BUILD AND DEPLOY CONTAINER IMAGES
  126. 126. OPENSHIFT TECHNICAL OVERVIEW126 BUILD AND DEPLOY CONTAINER IMAGES DEPLOY YOUR SOURCE CODE DEPLOY YOUR CONTAINER IMAGE DEPLOY YOUR APP BINARY
  127. 127. OPENSHIFT TECHNICAL OVERVIEW127 DEPLOY SOURCE CODE WITH SOURCE-TO- IMAGE (S2I) Git Repository BUILD APP (OpenShift) Developer code Source-to-Image (S2I) Builder Image Image Registry BUILD IMAGE (OpenShift) DEPLOY (OpenShift) deployApplication Container OpenShift DoesUser/Tool Does
  128. 128. OPENSHIFT TECHNICAL OVERVIEW128 DEPLOY APP BINARY WITH SOURCE-TO- IMAGE (S2I) Application Binary (e.g. WAR) BUILD APP (Build Infra) Existing Build Process build Source-to-Image (S2I) Builder Image Image Registry BUILD IMAGE (OpenShift) DEPLOY (OpenShift) deployApplication Container OpenShift DoesUser/Tool Does
  129. 129. OPENSHIFT TECHNICAL OVERVIEW DEPLOY (Openshift) 129 DEPLOY DOCKER IMAGE build Application Container deploy Application Image Image Registry BUILD IMAGE (Build Infra) Existing Image Build Process PUSH (Build Infra) OpenShift DoesUser/Tool Does
  130. 130. OPENSHIFT TECHNICAL OVERVIEW BUILD STAGE 3 BUILD STAGE 2 BUILD STAGE 1 130 BUILD IMAGES IN MULTIPLE STAGES
  131. 131. OPENSHIFT TECHNICAL OVERVIEW131 EXAMPLE: USE ANY RUNTIME IMAGE WITH SOURCE-TO-IMAGE BUILDS DOCKER BUILDWILDFLY S2I BUILD app.war WildFly S2I Builder Image WildFly Runtime Image Use Source-to-Image to build app binaries and deploy on lean vanilla runtimes read more on https://blog.openshift.com/chaining-builds/
  132. 132. OPENSHIFT TECHNICAL OVERVIEW132 EXAMPLE: USE ANY BUILD TOOL WITH OFFICIAL RUNTIME IMAGES DOCKER BUILDCUSTOM GRADLE BUILD Custom Gradle S2I Builder Image Red Hat OpenJDK Image Use your choice of build tool like Gradle and deploy to official images like the JDK image read more on https://blog.openshift.com/chaining-builds/ app.war
  133. 133. OPENSHIFT TECHNICAL OVERVIEW133 EXAMPLE: SMALL LEAN RUNTIMES DOCKER BUILDCUSTOM GO BUILD Custom Go S2I Builder Image Scratch Image Build the app binary and deploy on small scratch images read more on https://blog.openshift.com/chaining-builds/ app
  134. 134. CONTINUOUS INTEGRATION (CI) CONTINUOUS DELIVERY (CD)
  135. 135. OPENSHIFT TECHNICAL OVERVIEW CI/CD WITH BUILD AND DEPLOYMENTS 135 BUILDS ● Webhook triggers: build the app image whenever the code changes ● Image trigger: build the app image whenever the base language or app runtime changes ● Build hooks: test the app image before pushing it to an image registry DEPLOYMENTS ● Deployment triggers: redeploy app containers whenever configuration changes or the image changes in the OpenShift integrated registry or upstream registries
  136. 136. OPENSHIFT TECHNICAL OVERVIEW136 CONTINUOUS DELIVERY WITH CONTAINERS source repository CI/CD engine dev container physical virtual private cloud public cloud
  137. 137. OPENSHIFT TECHNICAL OVERVIEW137 OPENSHIFT LOVES CI/CD JENKINS-AS-A SERVICE ON OPENSHIFT HYBRID JENKINS INFRA WITH OPENSHIFT EXISTING CI/CD DEPLOY TO OPENSHIFT
  138. 138. OPENSHIFT TECHNICAL OVERVIEW138 JENKINS-AS-A-SERVICE ON OPENSHIFT ● Certified Jenkins images with pre-configured plugins ○ Provided out-of-the-box ○ Follows Jenkins 1.x and 2.x LTS versions ● Jenkins S2I Builder for customizing the image ○ Install Plugins ○ Configure Jenkins ○ Configure Build Jobs ● OpenShift plugins to integrate authentication with OpenShift and also CI/CD pipelines ● Dynamically deploys Jenkins slave containers Plugins Jobs Configuration Jenkins (S2I) Custom Jenkins Image Jenkins Image
  139. 139. OPENSHIFT TECHNICAL OVERVIEW ● Scale existing Jenkins infrastructure by dynamically provisioning Jenkins slaves on OpenShift ● Use Kubernetes plug-in on existing Jenkin servers 139 HYBRID JENKINS INFRA WITH OPENSHIFT OPENSHIFT APP APPrun job JENKINS SLAVE Run Job JENKINS SLAVE Run Job build JENKINS MASTER deploy
  140. 140. OPENSHIFT TECHNICAL OVERVIEW ● Existing CI/CD infrastructure outside OpenShift performs operations against OpenShift ○ OpenShift Pipeline Jenkins Plugin for Jenkins ○ OpenShift CLI for integrating other CI Engines with OpenShift ● Without disrupting existing processes, can be combined with previous alternative 140 EXISTING CI/CD DEPLOY TO OPENSHIFT OPENSHIFT APP EXISTING CI/CD INFRA Jenkins, Bamboo, TeamCity, etc APPbuild deploy S2I Buildrun job
  141. 141. OPENSHIFT TECHNICAL OVERVIEW141 OPENSHIFT PIPELINES ● OpenShift Pipelines allow defining a CI/CD workflow via a Jenkins pipeline which can be started, monitored, and managed similar to other builds ● Dynamic provisioning of Jenkins slaves ● Auto-provisioning of Jenkins server ● OpenShift Pipeline strategies ○ Embedded Jenkinsfile ○ Jenkinsfile from a Git repository apiVersion: v1 kind: BuildConfig metadata: name: app-pipeline spec: strategy: type: JenkinsPipeline jenkinsPipelineStrategy: jenkinsfile: |- node('maven') { stage('build app') { git url: 'https://git/app.git' sh "mvn package" } stage('build image') { sh "oc start-build app --from- file=target/app.jar } stage('deploy') { openshiftDeploy deploymentConfig: 'app' } } Provision a Jenkins slave for running Maven
  142. 142. OPENSHIFT TECHNICAL OVERVIEW142 OpenShift Pipelines in Web Console
  143. 143. OPENSHIFT TECHNICAL OVERVIEW APPLICATION IMAGE 143 CONTINUOUS DELIVERY PIPELINE DEV TEAM GIT SERVER ARTIFACT REPOSITORY JENKINS IMAGE BUILD ● S2I build from source code ● S2I build from app binary ● Existing docker container image build process
  144. 144. OPENSHIFT TECHNICAL OVERVIEW CONTINUOUS DELIVERY PIPELINE OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER 144 DEVELOPER GIT SERVER ARTIFACT REPOSITORY OPENSHIFT CI/CD PIPELINE (JENKINS) IMAGE BUILD & DEPLOY OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER NON-PROD PRODDEV
  145. 145. OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER 145 CONTINUOUS DELIVERY PIPELINE DEVELOPER GIT SERVER ARTIFACT REPOSITORY OPENSHIFT CI/CD PIPELINE (JENKINS) IMAGE BUILD & DEPLOY OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER PROMOTE TO TEST NON-PROD PRODDEV TEST
  146. 146. OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER 146 CONTINUOUS DELIVERY PIPELINE DEVELOPER GIT SERVER ARTIFACT REPOSITORY OPENSHIFT CI/CD PIPELINE (JENKINS) IMAGE BUILD & DEPLOY OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER PROMOTE TO TEST PROMOTE TO UAT NON-PROD PRODDEV TEST UAT
  147. 147. OPENSHIFT TECHNICAL OVERVIEW ServiceNow JIRA Service Desk Zendeks BMC Remedy OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER 147 CONTINUOUS DELIVERY PIPELINE DEVELOPER GIT SERVER ARTIFACT REPOSITORY OPENSHIFT CI/CD PIPELINE (JENKINS) IMAGE BUILD & DEPLOY OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER GO LIVE? PROMOTE TO TEST PROMOTE TO UAT RELEASE MANAGER NON-PROD PROD ☒ ☑ DEV TEST UAT
  148. 148. OPENSHIFT TECHNICAL OVERVIEW OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER 148 CONTINUOUS DELIVERY PIPELINE GIT SERVER ARTIFACT REPOSITORY OPENSHIFT CI/CD PIPELINE (JENKINS) IMAGE BUILD & DEPLOY OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER GO LIVE? PROMOTE TO TEST PROMOTE TO UAT PROMOTE TO PROD RELEASE MANAGER NON-PROD PRODDEV TEST UAT ☒ ☑ DEVELOPER
  149. 149. OPENSHIFT TECHNICAL OVERVIEW149 BUT… SOME TEAMS ALREADY HAVE AUTOMATED DELIVERY PIPELINES
  150. 150. OPENSHIFT TECHNICAL OVERVIEW150 WHAT IF THERE ARE EXISTING DELIVERY PROCESSES? BUILD APP BINARY RUN TESTS PROMOTE APP BINARY BUILD CONTAINER IMAGE RUN TESTS PROMOTE CONTAINER IMAGE SOURCE VERSION CONTROL ENTERPRISE BINARY REPO ENTERPRISE IMAGE REGISTRY
  151. 151. OPENSHIFT TECHNICAL OVERVIEW151 WHAT IF THERE ARE EXISTING DELIVERY PROCESSES? BUILD APP BINARY RUN TESTS PROMOTE APP BINARY BUILD CONTAINER IMAGE RUN TESTS PROMOTE CONTAINER IMAGE SOURCE VERSION CONTROL ENTERPRISE BINARY REPO AWS ECR ENTERPRISE IMAGE REGISTRY
  152. 152. OPENSHIFT TECHNICAL OVERVIEW152 ENRICHING EXISTING DELIVERY PROCESSES WITH OPENSHIFT OPENSHIFT CLUSTER EXISTING DELIVERY PROCESS DEPLOY DEPLOY DEPLOY
  153. 153. OPENSHIFT TECHNICAL OVERVIEW153 ENRICHING EXISTING DELIVERY PROCESSES WITH OPENSHIFT OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER OPENSHIFT IMAGE REGISTRY OPENSHIFT CLUSTER NON-PROD PRODDEV TEST UAT EXISTING DELIVERY PROCESS ENTERPRISE IMAGE REGISTRY
  154. 154. OPENSHIFT TECHNICAL OVERVIEW154 HYBRID APPLICATION AUTOMATION WITH OPENSHIFT AND ANSIBLE
  155. 155. OPENSHIFT TECHNICAL OVERVIEW155 CONTINUOUS DELIVERY PIPELINE HYBRID APPLICATION AUTOMATION WITH OPENSHIFT AND ANSIBLE VIRTUAL MACHINE VIRTUAL MACHINE AWS Azure Google CloudOpenStackVMware RHEVHyper V DEV PROD - REGION A PROD - REGION B
  156. 156. DEVELOPER WORKFLOW
  157. 157. OPENSHIFT TECHNICAL OVERVIEW157 LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  158. 158. OPENSHIFT TECHNICAL OVERVIEW BOOTSTRAP ● Pick your programming language and application runtime of choice ● Create the project skeleton from scratch or use a generator such as ○ Maven archetypes ○ Quickstarts and Templates ○ OpenShift Generator ○ Spring Initializr 158 LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  159. 159. OPENSHIFT TECHNICAL OVERVIEW159 DEVELOP ● Pick your framework of choice such as Java EE, Spring, Ruby on Rails, Django, Express, ... ● Develop your application code using your editor or IDE of choice ● Build and test your application code locally using your build tools ● Create or generate OpenShift templates or Kubernetes objects LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  160. 160. OPENSHIFT TECHNICAL OVERVIEW160 LOCAL DEPLOY ● Deploy your code on a local OpenShift cluster ○ Red Hat Container Development Kit (CDK), minishift and oc cluster ● Red Hat CDK provides a standard RHEL-based development environment ● Use binary deploy, maven or CLI rsync to push code or app binary directly into containers LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  161. 161. OPENSHIFT TECHNICAL OVERVIEW161 VERIFY ● Verify your code is working as expected ● Run any type of tests that are required with or without other components (database, etc) ● Based on the test results, change code, deploy, verify and repeat LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  162. 162. OPENSHIFT TECHNICAL OVERVIEW162 GIT PUSH ● Push the code and configuration to the Git repository ● If using Fork & Pull Request workflow, create a Pull Request ● If using code review workflow, participate in code review discussions LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  163. 163. OPENSHIFT TECHNICAL OVERVIEW PIPELINE ● Pushing code to the Git repository triggers one or multiple deployment pipelines ● Design your pipelines based on your development workflow e.g. test the pull request ● Failure in the pipeline? Go back to the code and start again 163 LOCAL DEVELOPMENT WORKFLOW Develop Local Deploy Verify Git Push PipelineBootstrap
  164. 164. APPLICATION SERVICES
  165. 165. OPENSHIFT TECHNICAL OVERVIEW165 A PLATFORM THAT GROWS WITH YOUR BUSINESS Data Virtualization Real Time Decision Intelligent Process Integration Messaging Data Grid Java EE Application Web Application Single Sign-On Mobile API Management Micro services
  166. 166. OPENSHIFT TECHNICAL OVERVIEW CrunchyData GitLab Iron.io Couchbase Sonatype EnterpriseDB NuoDB Fujitsu and many more 166 ...and virtually any docker image out there! TRUE POLYGLOT PLATFORM PHPPythonJava NodeJS Perl Ruby .NET Core Apache HTTP Server MySQL Redis nginx TomcatVarnish JBoss EAP JBoss A-MQ JBoss Fuse JBoss BRMS JBoss BPMS JBoss Data Grid JBoss Data Virt RH Mobile RH SSO 3SCALE API mgmt JBoss Web Server Spring Boot Wildfly Swarm Vert.x PostgreSQL MongoDB Phusion Passenger Third-party Language Runtimes Third-party Databases Third-party App Runtimes Third-party Middleware Third-party Middleware LANGUAGES DATABASES WEB SERVERS MIDDLEWARE
  167. 167. OPENSHIFT TECHNICAL OVERVIEW167 Modern, Cloud-Native Application Runtimes and an Opinionated Developer Experience OPENSHIFT SUPPORTED RUNTIMES Eclipse Vert.x WildFly Swarm Node.js LAUNCH Spring Boot JBoss EAP
  168. 168. MICROSERVICES INFRASTRUCTURE: ISTIO SERVICE MESH
  169. 169. OPENSHIFT TECHNICAL OVERVIEW169 REFER TO OFFICIAL ISTIO PRESENTATION
  170. 170. OPENSHIFT 4
  171. 171. OPENSHIFT TECHNICAL OVERVIEW171 IMMUTABLE INFRASTRUCTURE WITH RED HAT COREOS ● Minimal Linux distribution ● Optimized for running containers ● Decreased attack surface ● Over-the-air automated updates ● Immutable foundation for OpenShift ● Bare-metal and cloud host configuration
  172. 172. OPENSHIFT TECHNICAL OVERVIEW172 AUTOMATED OPERATIONS Infra provisioning Embedded OS Full-stack deployment On-premises and cloud Unified experience Secure defaults Network isolation Signing and policies Audit and logs Multi-cluster aware Monitoring and alerts Zero downtime upgrades Full-stack patch & upgrade Vulnerability scanning INSTALL HARDENDEPLOY OPERATE AUTOMATED OPERATIONS Fully automated day-1 and day-2 operations for Kubernetes
  173. 173. OPENSHIFT TECHNICAL OVERVIEW173 OPERATOR AND DEVELOPER CONSOLES
  174. 174. OPENSHIFT TECHNICAL OVERVIEW174 OPERATOR CONSOLE
  175. 175. OPENSHIFT TECHNICAL OVERVIEW175 OPERATOR CONSOLE
  176. 176. OPENSHIFT TECHNICAL OVERVIEW176 INFRASTRUCTURE MONITORING
  177. 177. THANK YOU plus.google.com/+RedHat linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews
  178. 178. DEPRECATED SLIDES
  179. 179. OPERATIONAL MANAGEMENT
  180. 180. OPENSHIFT TECHNICAL OVERVIEW180 TOP CHALLENGES OF RUNNING CONTAINERS AT SCALE SERVICE HEALTH SECURITY & COMPLIANCE FINANCIAL MANAGEMENT OPERATIONAL EFFICIENCY
  181. 181. OPENSHIFT TECHNICAL OVERVIEW181 Operational Management Across the Stack ● Real-time discovery ● Visualize relationships ● Monitoring and alerts ● Vulnerability scanning ● Security compliance ● Workflow and policy ● Automation ● Chargeback
  182. 182. OPENSHIFT TECHNICAL OVERVIEW ● CloudForms continuously discovers your infrastructure in near real time. ● CloudForms discovers and visualizes relationships between infra components ● CloudForms cross references inventory across technologies. ● CloudForms offers custom automation via control policy or UI extensions 182 OPERATIONAL EFFICIENCY
  183. 183. OPENSHIFT TECHNICAL OVERVIEW183 OPERATIONAL EFFICIENCY
  184. 184. OPENSHIFT TECHNICAL OVERVIEW ● CloudForms monitors resource consumption and shows trends ● CloudForms alerts on performance thresholds or other events ● CloudForms offers right-sizing recommendations ● CloudForms enforces configuration and tracks it over time. 184 SERVICE HEALTH
  185. 185. OPENSHIFT TECHNICAL OVERVIEW185 SERVICE HEALTH
  186. 186. OPENSHIFT TECHNICAL OVERVIEW ● CloudForms finds and marks nodes non- compliant with policy. ● CloudForms allows reporting on container provenance. ● CloudForms scans container images using OpenSCAP. ● CloudForms tracks genealogy between images and containers. 186 SECURITY & COMPLIANCE
  187. 187. OPENSHIFT TECHNICAL OVERVIEW187 SECURITY & COMPLIANCE
  188. 188. OPENSHIFT TECHNICAL OVERVIEW ● Define cost models for infrastructure and understand your cost. ● Rate schedules per platform and per tenant with multi-tiered and multi-currency support ● CloudForms shows top users for CPU, memory, as well as cost. ● Chargeback/showback to projects based on container utilization. 188 FINANCIAL MANAGEMENT
  189. 189. OPENSHIFT TECHNICAL OVERVIEW189 FINANCIAL MANAGEMENT
  190. 190. MICROSERVICES INFRASTRUCTURE: ISTIO SERVICE MESH
  191. 191. OPENSHIFT TECHNICAL OVERVIEW191 WHAT DO YOU NEED FOR MICROSERVICES? Visibility & Reporting Resilience & Fault Tolerance Routing & Traffic Control Identity & Security Policy Enforcement
  192. 192. OPENSHIFT TECHNICAL OVERVIEW192 WHAT YOU NEED FOR MICROSERVICES? Visibility & Reporting Resilience & Fault Tolerance Routing & Traffic Control Identity & Security Policy Enforcement Infrastructure Microservice Service Discovery Load Balancing Circuit Breaker Traffic Control Monitoring Tracing Business Logic Netflix OSS Config Server Security Policies Service Registry Traffic Control Monitoring Tracing API Magenement Smart Routing
  193. 193. OPENSHIFT TECHNICAL OVERVIEW193 MICROSERVICES EVOLUTION Platform Microservice Netflix OSS Netflix OSS Business Logic Container Platform Microservice Business Logic
  194. 194. OPENSHIFT TECHNICAL OVERVIEW194 WHAT YOU NEED FOR MICROSERVICES? Visibility & Reporting Resilience & Fault Tolerance Routing & Traffic Control Identity & Security Policy Enforcement Istio
  195. 195. OPENSHIFT TECHNICAL OVERVIEW Control Plane 195 WHAT IS ISTIO? a service mesh to connect, manage, and secure microservices Pilot Mixer Auth Data Plane Pod Envoy App Pod Envoy App Pod Envoy App Pod Envoy App TECH PREVIEW OCP 3.10
  196. 196. OPENSHIFT TECHNICAL OVERVIEW196 Platform Microservice Service Discovery Load Balancing Circuit Breaker Traffic Control Monitoring Tracing Business Logic Netflix OSS Config Server Security Policies Service Registry Traffic Control Monitoring Tracing API Magenement Smart Routing Microservice Business Logic OpenShift + Istio Config Server Load Balancing Service Registry Traffic Control Monitoring Tracing API Magenement Smart Routing Microservices App Microservices App NETFLIX OSS VS ISTIO
  197. 197. OPENSHIFT TECHNICAL OVERVIEW197 CONTROL OUTGOING TRAFFIC SOURCE IP WITH EGRESS ROUTER NODE IP1 EGRESS ROUTER POD IP1 EGRESS SERVICE INTERNAL-IP:8080 EXTERNAL SERVICE Whitelist: IP1 POD POD POD

×