SlideShare a Scribd company logo

Ippevent : openshift Introduction

kanedafromparis
kanedafromparis

This is a slide desk presenting openshift in practice.

Technology
1 of 19
Download to read offline
Docker/ Openshift introduction Openshift Cluster in practice
Docker/ Openshift introduction Agenda ● Infrastructure ● Storage ● Monitoring ● Metrics ● Logs ● Backup ● Security 2
Docker/ Openshift introduction Infrastructure 3 Global Infrastructure
Docker/ Openshift introduction Infrastructure 3x Masters + etcd : • 4 (v)CPUs • 16 GB RAM • 100 GB HDD 4 Masters, etcd cluster and nodes are VMWare ESX Virtual Machines etcd performances issues since 3.4 ! • Separated from Masters • Redhat recommends SSD drives • Upgrade blocked ... nodes : 2 to n per zone : • 16 (v)CPUs • 32 GB RAM • 600 GB HDD Infra nodes : 2 to n : • 4 (v)CPUs • 16 GB RAM • 340 GB HDD Logs : • High memory, CPU and disk consumption !!! • Move to Physical Servers (40 Threads, 30 TB HDD) Global capacity to support a Rolling upgrade and reboot
Docker/ Openshift introduction Infrastructure : capacity planning 5 oc describe node node001 Name: node001 Role: Labels: kubernetes.io/hostname=node001, …. Taints: <none> CreationTimestamp:Tue, 24 May 2016 16:58:10 +0200 Phase: Conditions: Type Status ... Reason Message ---- ------ ----------------- ------------------ ------ Ready True ... ... KubeletReady kubelet is posting ready status OutOfDisk False ... ... KubeletHasSufficientDisk kubelet has sufficient disk space available MemoryPressure False ... ... KubeletHasSufficientMemory kubelet has sufficient memory available Namespace Name CPU Requests CPU Limits Memory Requests Memory Limits --------- ---- ------------ ---------- --------------- ------------- xxxxxxx zzzz-www-9-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) xxxxxxx zzzz-wcw-9-123ee 500m (3%) 1 (6%) 1024Mi (0%) 2Gi (3%) xxxxxxx zzzz-waw-7-123ee 500m (3%) 1 (6%) 512Mi (0%) 1Gi (3%) xxxxxxx zzzz-wsw-5-123ee 500m (3%) 1 (6%) 256Mi (0%) 4Gi (3%) xxxxxxx zzzz-qww-4-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) Allocated resources: (Total limits may be over 100 percent, i.e., overcommitted. CPU Requests CPU Limits Memory Requests Memory Limits ------------ ---------- --------------- ------------- 2500m (15%) 5 (31%) 2048Mi (6%) 9Gi (44%) Capacity: alpha.kubernetes.io/nvidia-gpu: 0 cpu: 16 memory: 32780448Ki pods: 110 Allocatable: alpha.kubernetes.io/nvidia- gpu: 0 cpu: 14 memory: 30731670Ki pods: 110 System Info: ... Remember to reserve resources for the node itself
Docker/ Openshift introduction Storage Criteria : • Type : NFS, GlusterFS, EBS, GCE, iSCSI, FC, Azure, … • Access mode : RWO (for one pod), RWX (shared), ROX (read only) • Capacity : volume size, IOPS, throughput. StorageClass : • Storage definition for dynamically provisioned on demand storage • Can be associated to a specific “storage-admin” role • Currently only for “cloud” resources Phase : • Available / Bound / Released 
 / Failed Recycling Policy : • Retain / Recycle 6 Persistent Storage
Docker/ Openshift introduction Storage 7 No SAN, no NAS, no cloud. So … What ? Build your own Storage Cluster ! Two big servers, Pacemaker, DRBD and XFS : NFS HA Scalable Storage Cluster
Docker/ Openshift introduction Monitoring Node liveness is done by kubernetes. Two kinds of checks for pod status : • Liveness probe : if not alive, pod will be restarted • Readiness probe : if not ready, traffic won’t be sent to this pod. If back, traffic will be back again. 8 Internal monitoring of pods and nodes status SHAME ! Don’t use openshift to hide your mistakes and incompetence Openshift won’t do functional testings and monitoring for you. Also associated to pod limits (see metrics), if limit is exceeded, pod is killed (and restarted).
Docker/ Openshift introduction Monitoring • Check the whole infrastructure : memory, cpu, load, storage, ... • But also processus, docker thinpools, pods, persistent volumes, … • Centreon + homemade scripts in shell and python with snmp and oc 9 External monitoring
Docker/ Openshift introduction Metrics • Integrated realtime metrics : heapster, hawkular and Cassandra • By default : Memory, CPU (millicores) and Network • View for pods, and aggregated view for services 10 Pods and services metrics • Metrics enable one great functionality : horizontal pod autoscaling ! • It can be associated with quotas (resource limits). If limits are exceeded, pod is killed and restarted. Number of Nodes Number of Pods Cassandra Storage growth speed Cassandra storage growth per day Cassandra storage growth per week 210 10500 500 MB per hour 15 GB 75 GB 990 11000 1 GB per hour 30 GB 210 GB
Docker/ Openshift introduction Logs Following best practice, pod log go to console/stdout 11 Log can be seen from the pod oc log mymicser-31-9koc7 -n lovely-project Don’t forget grep|sort|awk… Kubetail can be useful [Sat Jun 17 22:05:13.613952 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.613955 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614566 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614575 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx 122.138.20.1 - - [17/Jun/2017:22:05:13 +0200] "GET / HTTP/1.1" 200 29601 xxxx xx xx xx [Sat Jun 17 22:05:14.272141 2017] [:error] [pid 66435] [client 122.138.19.1:24097] xxxx xx xx xx
Docker/ Openshift introduction Logs / EFK Aggregation Elasticsearch A highly-available environment requires at least three replicas of Elasticsearch; each on a different host. Elasticsearch replicas require their own storage, but an OpenShift Container Platform deployment configuration shares storage volumes between all its pods. So, when scaled up, the EFK deployer ensures each replica of Elasticsearch has its own deployment configuration. • Dedicate node using Node Selector • Persistent Elasticsearch Storage (local storage) Fluentd Fluentd is deployed as a DaemonSet that deploys replicas according to a node label selector (which you can specify with the deployer parameter fluentd-nodeselector; the default is logging-infra-fluentd). You can configure Fluentd to send a copy of its logs to an external log aggregator, and not the default Elasticsearch, using the secure-forward plug-in Kibana To access the Kibana console from the OpenShift Container Platform web console Curator Curator allows administrators to configure scheduled Elasticsearch maintenance operations to be performed automatically on a per-project basis. Ops Cluster If you set enable-ops-cluster to true for the deployer, Fluentd is configured to split logs between the main ElasticSearch cluster and another cluster reserved for operations logs 12 $ oc label node/xxx logging-infra-fluentd=true
Docker/ Openshift introduction Logs / EFK Assumptions: 1. Which application: Apache 2. Bytes per line: 256 3. Lines per second load on application: 1 4. Raw text data → JSON Baseline (256 characters per minute → 15KB/min) The implication of keeping all those log need a lot of reflexion on : • What to keep ? • How long ? • How to use them on the long run ? You really need a project reflexion on the matter, because logs grow fast and can rapidly become unmanageable. 13 Sometime size matter Logging Infra Pods Storage Throughput 3 es 1 kibana 1 curator 1 fluentd 6 pods total: 90000 x 86400 = 7,7 GB/day 3 es 1 kibana 1 curator 11 fluentd 16 pods total: 225000 x 86400 = 24,0 GB/day 3 es 1 kibana 1 curator 20 fluentd 25 pods total: 225000 x 86400 = 32,4 GB/day
Docker/ Openshift introduction • Master / nodes backup →Git / ansible →etcd backup • PV backup →Backula, rsync... • Project backup →Images Docker.io, artifactory, …. →Object oc export …, Project level https://github.com/vbehar/openshift-git →PVC https://github.com/getupcloud/backup Backup 14 3 layers of back-up
Docker/ Openshift introduction Security 15 Dr. Egon Spengler: Don’t use root in your image Dr. Peter Venkman: Why? In Openshift Pods are launched with an arbitrary / random used ID. Thanks to user namespaces. Root is prevented by default. You can’t escape :) Your images must be adapted. Most docker hub images can’t be reused as such.
Docker/ Openshift introduction Security 16 Project side : thanks to cgroups and limits Remember : Petazzoni slides • cgroups : limits how much you can use (and gauge) • namespaces : limits what you can see (and therefore use) • Security context constraints : allow administrators to control permissions for pods. • Segregation by namespaces : projects are isolated from each other • Policies and roles at each level (cluster, project, resources, …) • Images : Image vulnerability scanning, (Xray / BlackDuck), Base images • Network : segregation between projects by default (openvswith, tags) : if you need to communicate, use services and routes EVEN in the same project. • Secrets : because you don’t want to spread hidden things in your templates or configuration files (credentials, keys, …), openshift handles them for you. • selinux : RHEL and docker
Docker/ Openshift introduction Copy an object from project-1 to project-2 oc export xx -n project-1 | oc create -n project-2 -f - Check container environment variable (first oc get dc) : for proj in $(oc get project -l type=lamp); do oc get po -n XXX -l app=mysql, version=5.6 done; Check container environment variable (first oc get dc) : oc get dc $DCTOINSPEC -n $DEV_PROJECT_NAME -o json | jq ".spec.template.spec.containers[]?.env" Check user access within project for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc describe policyBindings :default -n $PROJECTID | grep -C 1 $USENAME_TO_ADD ; done Check image SHA tagged OK for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc get is $PROJECTID -n $PROJECTID -o json| jq -r ".status.tags[]|select(.tag == "ok")|.items| max_by(.created)|.dockerImageReference" done Tips 17 Always this scripting
Docker/ Openshift introduction Questions ?
Docker/ Openshift introduction Annexes

Recommended

Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018kanedafromparis
 
OCI Image Spec
OCI Image SpecOCI Image Spec
OCI Image Specstrikr .
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoCristian Consonni
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in MesosLinuxCon ContainerCon CloudOpen China
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopSathish VJ
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 

Recommended

Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introductionkanedafromparis
 
Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018kanedafromparis
 
OCI Image Spec
OCI Image SpecOCI Image Spec
OCI Image Specstrikr .
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoCristian Consonni
 
OCI Support in Mesos
OCI Support in MesosOCI Support in Mesos
OCI Support in MesosLinuxCon ContainerCon CloudOpen China
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopSathish VJ
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_kanedafromparis
 
Rebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersRebuild - Simplifying Embedded and IoT Development Using Linux Containers
Rebuild - Simplifying Embedded and IoT Development Using Linux ContainersLinuxCon ContainerCon CloudOpen China
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersKento Aoyama
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)rajdeep
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCIHungWei Chiu
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloudstrikr .
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container imagesAkihiro Suda
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container EngineThuc Le Dong
 
Docker Intro
Docker IntroDocker Intro
Docker IntroRuben Taelman
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Binary Studio
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCPhil Estes
 
Container orchestration
Container orchestrationContainer orchestration
Container orchestrationTimo Derstappen
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinDataArt
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and DockerFabio Fumarola
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetesMeiyappan Kannappa
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesPhil Estes
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 

More Related Content

What's hot

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to KubernetesImesh Gunaratne
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Boden Russell
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersKento Aoyama
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)rajdeep
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRIDocker, Inc.
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCIHungWei Chiu
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloudstrikr .
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container imagesAkihiro Suda
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container EngineThuc Le Dong
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Binary Studio
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paasrajdeep
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCPhil Estes
 
Docker introduction
Docker introductionDocker introduction
Docker introductionLayne Peng
 
CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinDataArt
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and DockerFabio Fumarola
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...Docker, Inc.
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesPhil Estes
 

What's hot (20)

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302Linux Container Brief for IEEE WG P2302
Linux Container Brief for IEEE WG P2302
 
An Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux ContainersAn Updated Performance Comparison of Virtual Machines and Linux Containers
An Updated Performance Comparison of Virtual Machines and Linux Containers
 
Docker Architecture (v1.3)
Docker Architecture (v1.3)Docker Architecture (v1.3)
Docker Architecture (v1.3)
 
containerd and CRI
containerd and CRIcontainerd and CRI
containerd and CRI
 
Introduction to CRI and OCI
Introduction to CRI and OCIIntroduction to CRI and OCI
Introduction to CRI and OCI
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloud
 
[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images[FOSDEM 2020] Lazy distribution of container images
[FOSDEM 2020] Lazy distribution of container images
 
Rkt Container Engine
Rkt Container EngineRkt Container Engine
Rkt Container Engine
 
Docker Intro
Docker IntroDocker Intro
Docker Intro
 
Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4Academy PRO: Docker. Part 4
Academy PRO: Docker. Part 4
 
virtualization-vs-containerization-paas
virtualization-vs-containerization-paasvirtualization-vs-containerization-paas
virtualization-vs-containerization-paas
 
Devoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runCDevoxx 2016: A Developer's Guide to OCI and runC
Devoxx 2016: A Developer's Guide to OCI and runC
 
Container orchestration
Container orchestrationContainer orchestration
Container orchestration
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
CD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas KolenkinCD in kubernetes using helm and ksonnet. Stas Kolenkin
CD in kubernetes using helm and ksonnet. Stas Kolenkin
 
2 Linux Container and Docker
2 Linux Container and Docker2 Linux Container and Docker
2 Linux Container and Docker
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
 

Similar to Ippevent : openshift Introduction

Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Dave Holland
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1wim_provoost
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsCeph Community
 
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.ioDávid Kőszeghy
 
Benchmarking Solr Performance at Scale
Benchmarking Solr Performance at ScaleBenchmarking Solr Performance at Scale
Benchmarking Solr Performance at Scalethelabdude
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...javier ramirez
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPivotalOpenSourceHub
 
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...dotCloud
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux ContainersJignesh Shah
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and MetricsRicardo Lourenço
 
OpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for TomorrowOpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for TomorrowEd Balduf
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"IT Event
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kevin Lynch
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkJérôme Petazzoni
 

Similar to Ippevent : openshift Introduction (20)

Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017Sanger OpenStack presentation March 2017
Sanger OpenStack presentation March 2017
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1Open vStorage Road show 2015 Q1
Open vStorage Road show 2015 Q1
 
Containers > VMs
Containers > VMsContainers > VMs
Containers > VMs
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah WatkinsExperiences building a distributed shared log on RADOS - Noah Watkins
Experiences building a distributed shared log on RADOS - Noah Watkins
 
Cncf meetup-rook
Cncf meetup-rookCncf meetup-rook
Cncf meetup-rook
 
Cncf meetup-rook
Cncf meetup-rookCncf meetup-rook
Cncf meetup-rook
 
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
7. Cloud Native Computing - Kubernetes - Bratislava - Rook.io
 
Benchmarking Solr Performance at Scale
Benchmarking Solr Performance at ScaleBenchmarking Solr Performance at Scale
Benchmarking Solr Performance at Scale
 
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
Como creamos QuestDB Cloud, un SaaS basado en Kubernetes alrededor de QuestDB...
 
Postgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh ShahPostgre sql linuxcontainers by Jignesh Shah
Postgre sql linuxcontainers by Jignesh Shah
 
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
Deploying containers and managing them on multiple Docker hosts, Docker Meetu...
 
PostgreSQL and Linux Containers
PostgreSQL and Linux ContainersPostgreSQL and Linux Containers
PostgreSQL and Linux Containers
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and Metrics
 
OpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for TomorrowOpenStack Cinder, Implementation Today and New Trends for Tomorrow
OpenStack Cinder, Implementation Today and New Trends for Tomorrow
 
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"Leonid Vasilyev "Building, deploying and running production code at Dropbox"
Leonid Vasilyev "Building, deploying and running production code at Dropbox"
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
Introduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New YorkIntroduction to Docker at the Azure Meet-up in New York
Introduction to Docker at the Azure Meet-up in New York
 

Recently uploaded

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Ippevent : openshift Introduction

  • 2. Docker/ Openshift introduction Agenda ● Infrastructure ● Storage ● Monitoring ● Metrics ● Logs ● Backup ● Security 2
  • 4. Docker/ Openshift introduction Infrastructure 3x Masters + etcd : • 4 (v)CPUs • 16 GB RAM • 100 GB HDD 4 Masters, etcd cluster and nodes are VMWare ESX Virtual Machines etcd performances issues since 3.4 ! • Separated from Masters • Redhat recommends SSD drives • Upgrade blocked ... nodes : 2 to n per zone : • 16 (v)CPUs • 32 GB RAM • 600 GB HDD Infra nodes : 2 to n : • 4 (v)CPUs • 16 GB RAM • 340 GB HDD Logs : • High memory, CPU and disk consumption !!! • Move to Physical Servers (40 Threads, 30 TB HDD) Global capacity to support a Rolling upgrade and reboot
  • 5. Docker/ Openshift introduction Infrastructure : capacity planning 5 oc describe node node001 Name: node001 Role: Labels: kubernetes.io/hostname=node001, …. Taints: <none> CreationTimestamp:Tue, 24 May 2016 16:58:10 +0200 Phase: Conditions: Type Status ... Reason Message ---- ------ ----------------- ------------------ ------ Ready True ... ... KubeletReady kubelet is posting ready status OutOfDisk False ... ... KubeletHasSufficientDisk kubelet has sufficient disk space available MemoryPressure False ... ... KubeletHasSufficientMemory kubelet has sufficient memory available Namespace Name CPU Requests CPU Limits Memory Requests Memory Limits --------- ---- ------------ ---------- --------------- ------------- xxxxxxx zzzz-www-9-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) xxxxxxx zzzz-wcw-9-123ee 500m (3%) 1 (6%) 1024Mi (0%) 2Gi (3%) xxxxxxx zzzz-waw-7-123ee 500m (3%) 1 (6%) 512Mi (0%) 1Gi (3%) xxxxxxx zzzz-wsw-5-123ee 500m (3%) 1 (6%) 256Mi (0%) 4Gi (3%) xxxxxxx zzzz-qww-4-123ee 500m (3%) 1 (6%) 256Mi (0%) 1Gi (3%) Allocated resources: (Total limits may be over 100 percent, i.e., overcommitted. CPU Requests CPU Limits Memory Requests Memory Limits ------------ ---------- --------------- ------------- 2500m (15%) 5 (31%) 2048Mi (6%) 9Gi (44%) Capacity: alpha.kubernetes.io/nvidia-gpu: 0 cpu: 16 memory: 32780448Ki pods: 110 Allocatable: alpha.kubernetes.io/nvidia- gpu: 0 cpu: 14 memory: 30731670Ki pods: 110 System Info: ... Remember to reserve resources for the node itself
  • 6. Docker/ Openshift introduction Storage Criteria : • Type : NFS, GlusterFS, EBS, GCE, iSCSI, FC, Azure, … • Access mode : RWO (for one pod), RWX (shared), ROX (read only) • Capacity : volume size, IOPS, throughput. StorageClass : • Storage definition for dynamically provisioned on demand storage • Can be associated to a specific “storage-admin” role • Currently only for “cloud” resources Phase : • Available / Bound / Released 
 / Failed Recycling Policy : • Retain / Recycle 6 Persistent Storage
  • 7. Docker/ Openshift introduction Storage 7 No SAN, no NAS, no cloud. So … What ? Build your own Storage Cluster ! Two big servers, Pacemaker, DRBD and XFS : NFS HA Scalable Storage Cluster
  • 8. Docker/ Openshift introduction Monitoring Node liveness is done by kubernetes. Two kinds of checks for pod status : • Liveness probe : if not alive, pod will be restarted • Readiness probe : if not ready, traffic won’t be sent to this pod. If back, traffic will be back again. 8 Internal monitoring of pods and nodes status SHAME ! Don’t use openshift to hide your mistakes and incompetence Openshift won’t do functional testings and monitoring for you. Also associated to pod limits (see metrics), if limit is exceeded, pod is killed (and restarted).
  • 9. Docker/ Openshift introduction Monitoring • Check the whole infrastructure : memory, cpu, load, storage, ... • But also processus, docker thinpools, pods, persistent volumes, … • Centreon + homemade scripts in shell and python with snmp and oc 9 External monitoring
  • 10. Docker/ Openshift introduction Metrics • Integrated realtime metrics : heapster, hawkular and Cassandra • By default : Memory, CPU (millicores) and Network • View for pods, and aggregated view for services 10 Pods and services metrics • Metrics enable one great functionality : horizontal pod autoscaling ! • It can be associated with quotas (resource limits). If limits are exceeded, pod is killed and restarted. Number of Nodes Number of Pods Cassandra Storage growth speed Cassandra storage growth per day Cassandra storage growth per week 210 10500 500 MB per hour 15 GB 75 GB 990 11000 1 GB per hour 30 GB 210 GB
  • 11. Docker/ Openshift introduction Logs Following best practice, pod log go to console/stdout 11 Log can be seen from the pod oc log mymicser-31-9koc7 -n lovely-project Don’t forget grep|sort|awk… Kubetail can be useful [Sat Jun 17 22:05:13.613952 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.613955 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614566 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx [Sat Jun 17 22:05:13.614575 2017] [:error] [pid 66452] [client 122.138.20.1:36114] xxxx xx xx xx 122.138.20.1 - - [17/Jun/2017:22:05:13 +0200] "GET / HTTP/1.1" 200 29601 xxxx xx xx xx [Sat Jun 17 22:05:14.272141 2017] [:error] [pid 66435] [client 122.138.19.1:24097] xxxx xx xx xx
  • 12. Docker/ Openshift introduction Logs / EFK Aggregation Elasticsearch A highly-available environment requires at least three replicas of Elasticsearch; each on a different host. Elasticsearch replicas require their own storage, but an OpenShift Container Platform deployment configuration shares storage volumes between all its pods. So, when scaled up, the EFK deployer ensures each replica of Elasticsearch has its own deployment configuration. • Dedicate node using Node Selector • Persistent Elasticsearch Storage (local storage) Fluentd Fluentd is deployed as a DaemonSet that deploys replicas according to a node label selector (which you can specify with the deployer parameter fluentd-nodeselector; the default is logging-infra-fluentd). You can configure Fluentd to send a copy of its logs to an external log aggregator, and not the default Elasticsearch, using the secure-forward plug-in Kibana To access the Kibana console from the OpenShift Container Platform web console Curator Curator allows administrators to configure scheduled Elasticsearch maintenance operations to be performed automatically on a per-project basis. Ops Cluster If you set enable-ops-cluster to true for the deployer, Fluentd is configured to split logs between the main ElasticSearch cluster and another cluster reserved for operations logs 12 $ oc label node/xxx logging-infra-fluentd=true
  • 13. Docker/ Openshift introduction Logs / EFK Assumptions: 1. Which application: Apache 2. Bytes per line: 256 3. Lines per second load on application: 1 4. Raw text data → JSON Baseline (256 characters per minute → 15KB/min) The implication of keeping all those log need a lot of reflexion on : • What to keep ? • How long ? • How to use them on the long run ? You really need a project reflexion on the matter, because logs grow fast and can rapidly become unmanageable. 13 Sometime size matter Logging Infra Pods Storage Throughput 3 es 1 kibana 1 curator 1 fluentd 6 pods total: 90000 x 86400 = 7,7 GB/day 3 es 1 kibana 1 curator 11 fluentd 16 pods total: 225000 x 86400 = 24,0 GB/day 3 es 1 kibana 1 curator 20 fluentd 25 pods total: 225000 x 86400 = 32,4 GB/day
  • 14. Docker/ Openshift introduction • Master / nodes backup →Git / ansible →etcd backup • PV backup →Backula, rsync... • Project backup →Images Docker.io, artifactory, …. →Object oc export …, Project level https://github.com/vbehar/openshift-git →PVC https://github.com/getupcloud/backup Backup 14 3 layers of back-up
  • 15. Docker/ Openshift introduction Security 15 Dr. Egon Spengler: Don’t use root in your image Dr. Peter Venkman: Why? In Openshift Pods are launched with an arbitrary / random used ID. Thanks to user namespaces. Root is prevented by default. You can’t escape :) Your images must be adapted. Most docker hub images can’t be reused as such.
  • 16. Docker/ Openshift introduction Security 16 Project side : thanks to cgroups and limits Remember : Petazzoni slides • cgroups : limits how much you can use (and gauge) • namespaces : limits what you can see (and therefore use) • Security context constraints : allow administrators to control permissions for pods. • Segregation by namespaces : projects are isolated from each other • Policies and roles at each level (cluster, project, resources, …) • Images : Image vulnerability scanning, (Xray / BlackDuck), Base images • Network : segregation between projects by default (openvswith, tags) : if you need to communicate, use services and routes EVEN in the same project. • Secrets : because you don’t want to spread hidden things in your templates or configuration files (credentials, keys, …), openshift handles them for you. • selinux : RHEL and docker
  • 17. Docker/ Openshift introduction Copy an object from project-1 to project-2 oc export xx -n project-1 | oc create -n project-2 -f - Check container environment variable (first oc get dc) : for proj in $(oc get project -l type=lamp); do oc get po -n XXX -l app=mysql, version=5.6 done; Check container environment variable (first oc get dc) : oc get dc $DCTOINSPEC -n $DEV_PROJECT_NAME -o json | jq ".spec.template.spec.containers[]?.env" Check user access within project for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc describe policyBindings :default -n $PROJECTID | grep -C 1 $USENAME_TO_ADD ; done Check image SHA tagged OK for PROJECTID in $PROJECTIDS; do echo "$PROJECTID" && oc get is $PROJECTID -n $PROJECTID -o json| jq -r ".status.tags[]|select(.tag == "ok")|.items| max_by(.created)|.dockerImageReference" done Tips 17 Always this scripting