The document provides an overview of containerization and Kubernetes. It discusses how containerization can help with software delivery, running polyglot applications, encapsulation, repeatability, provenance, and microservice architectures. It addresses common questions around containerizing applications and mapping application architectures to Kubernetes. It also highlights how OpenShift can help build containers, reuse Dockerfiles, and manage the Kubernetes lifecycle from development to production.
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Can I Contain This?
1. Can I Contain This?
When & How to Containerise
Ed Seymour, Red Hat
Containerisation Lead, EMEA
2. ON LINUX, CONTAINERS ARE LINUX
app kernel
Without
containers
Container Host
app kernel
With
containers
Namespaces Where you run your
container is
important
4. SOFTWARE DELIVERY
Umm, I’ve
got this
container?
No problem, we can
run containers!
App
(and I only need
what you’ve changed
since last time!)
5. POLYGLOT
OK, so I’ve
written this in
Go, will that be
a problem?
No problem, I’ll
worry about the
container, you
worry about what
to put in it!
App
6. ENCAPSULATION
I need to patch
the server, will
be updating
library-xyz, is
that cool?
No worries, all of my
app dependencies
are in my container
image
App
I patch my app at the
app release cadence,
you go ahead!
8. PROVENANCE
Umm, the security
guy wants to check
what we’re running
here
No problem, we can
use the image ref
and show its path
through dev, test
and into prod
App
9. KUBERNETES
OK, so I have a
microservice
architecture with
back-end logic and a
persistence tier, can
you run this?
Sure! That’s
why we use
Kubernetes!
App
App
App
App
App
App
10. CAN I CONTAIN THIS!?
Err… ok, let’s
get them into
containers...
App
App
App
App
App
AppApp
App
App
App
App
App
App
App
App
App
App
App
App
App
App
App
App
Awesome! So
what about all
these?
11. IF IT RUNS ON LINUX...
...it should containerise, but check for ‘red flags’
https://www.flickr.com/photos/chinesejetpilot/89376843
https://commons.wikimedia.org/wiki/File:Tokenring.png
https://www.maxpixel.net/Documents-Paper-Document-Sign-Bus
iness-Agreement-428333
mov ax,'00' ; initialize to all ASCII zeroes
mov di,counter ; including the counter
mov cx,digits+cntDigits/2 ; two bytes at a time
cld ; initialize from low to high memory
rep stosw ; write the data
inc ax ; make sure ASCII zero is in al
mov [num1 + digits - 1],al ; last digit is one
mov [num2 + digits - 1],al ;
mov [counter + cntDigits - 1],al
http://assembly.happycodings.com/code1.html
12. ...BUT THEY DON’T MEAN IT WON’T
Our app runs in
RHEL 5, but there
isn’t a RHEL5 base
image, so this won’t
containerise.
Why are you fixed to
RHEL5?
Does the app itself rely
on RHEL5 libs &
architecture
or
Do the Ops team say
they only support this
platform?
App
14. 14
CAN YOU MAP APP ARCHITECTURE TO KUBERNETES?
Underlying infrastructure and transport network
Replica Set Stateful Set Daemon Set
Platform OpsDev & App Ops
15. PLATFORM HARDENING & SECURITY
The platform is hardened
against potential security risks
& bad practice.
Make sure your containers play
nice! root
16. DO YOU NEED TO CHANGE YOUR PROCESSES?
Build
SlaveBuild
SlaveBuild
Slave
VM
17. HOW WILL YOU OPERATE YOUR SOFTWARE?
Installation Upgrade Backup
Failure
recovery
Metrics
& insights
Tuning
None of this
is like it use
to be!
We will need
to migrate to
new tooling
18. USING COTS
Hey, you’ll support
this if we run it in a
container, right?
Sorry, we’re
don’t support
that yet :(
App
19. THE BEST WAY TO OPTIMISE FOR KUBERNETES...
K8s cluster
ip
ip
ip
backend
ip
myapp
ip
K8s Ingress Services myapp.com
20. ...IS TO START WITH KUBERNETES
Build containers for Kubernetes
Design for web-scale & cloud native
The deployable unit is [App + K8s]
22. REFERENCE ARCHITECTURE
FOR ENTERPRISE KUBERNETES
Automated Operations
Kubernetes
Red Hat Enterprise Linux or Red Hat CoreOS
Application
Services
CaaS PaaSBest IT Ops Experience Best Developer Experience
Cluster
Services
Developer
Services
Middleware, Service Mesh, Functions, ISV Metrics, Chargeback, Registry, Logging Dev Tools, Automated Builds, CI/CD, IDE
24. OPENSHIFT IS A CERTIFIED KUBERNETES
DISTRIBUTION
PROVIDING A FULL-STACK SOLUTION
25. 200+ validated integrations
100s of defect and performance fixes
9 year enterprise lifecycle management
Security fixes
Middleware integration
(container images, storage, networking, cloud services, etc)
Certified Kubernetes
OPENSHIFT IS KUBERNETES FOR THE ENTERPRISE
Kubernetes
Release
OpenShift
Release
3-4 months
hardening
26. OPENSHIFT CONTAINER PLATFORM
KUBERNETES
RED HAT ENTERPRISE LINUX | RED HAT CoreOS
ENTERPRISE KUBERNETES
SDN NETWORKING STORAGE LOGGING MONITORING
CI / CD PIPELINES SERVICE CATALOG
CONTAINER REGISTRY SECURITY | AUTH OPS CONSOLE
HYBRID CLOUD BARE METAL VIRTUAL PRIVATE PUBLIC
INTEGRATE SERVICES
OFF PLATFORM
SERVICE BROKERS | ANSIBLE | AWS | AZURE | GCP
ADD MORE APP TYPES WINDOWS CLOUD-NATIVE BIG DATA IOT SERVERLESS
AUTOMATED OPERATIONS
(OPERATOR FRAMEWORK)
OPERATOR LIFECYCLE MANAGER | PLATFORM | APPLICATIONS
RED HAT MIDDLEWARE SERVICES
27. ONE PLATFORM
FLEXIBLE CONSUMPTION MODELS
* announced for general availability in late 2018
Manage your own secure,
enterprise-grade Kubernetes
platform
Managed service offering on
your choice of AWS, Azure* or
Google
SaaS offering to build, deploy,
and scale container applications
in the cloud
Check it out!
https://learn.openshift.com
OpenShift 4.0 Beta!! https://try.openshift.com
29. BUILDS CONTAINERS ON THE PLATFORM
Dude! We’re
already building
containers.
Excellent! Just
point OpenShift
at your
Dockerfiles, and
it will become
your build farm
It will also automatically add
metadata, help you manage
your upstream base images,
and provide a secure place to
store your built images
30. CONTAINER REUSE: REFACTOR DOCKERFILES
Dockerfile
OS base OS base
App +
Deps
Lots to maintain
OS base OS base
Vendor MW
OS base
Vendor MW
Your
Standards
Dockerfile
App
OS base
Vendor MW
Your
Standards
3rd Party Vendors (supported) Local specialisations Focus on the app!
31. FROM Jdk-base
RUN Install packages & deps
Make directories
Set permissions
Set ownership
Download binaries & copy to dir
Fix static config
USER Preferred uid
EXPOSE Listened ports
VOLUME Working directories
ADD Init script
ENTRYPOINT Run the init script
CMD Default run command
FROM Tomcat base
ADD Binary to deployment dir
ADD Non-standard libs/drivers/etc
Focus on the App!
EXAMPLE: TOMCAT APP
33. EXAMPLE: MINI-VM
FROM OS-base
RUN Install packages & deps
Make directories
Install database
Install sshd
Install app framework
Copy app binary
Install init process
Add init scripts
Set permissions
Set ownership
USER Preferred uid
EXPOSE Listened ports (app, db, sshd)
VOLUME Working directories (app, db)
FROM Tomcat base
ADD Binary to deployment dir
ADD Non-standard libs/drivers/etc
1
2
3
No need for sshd, platform
provides remote shell
Use existing database
container, not need to create
a new one
Focus on the App!
34. OPENSHIFT BUILDS FROM BINARIES
We already
have CI...
Awesome, we’ve
probably got a
base image just
for you!
35. K8s cluster
35
NAMESPACES FOR PIPELINE STAGES
myapp-dev
jenkins
myapp-test12345 myapp-prod
Build & test
Promote for
specialised tests
Promote to
production
Namespaces used
to encapsulate
stages
36. BUILDS FROM SOURCE
I just want
to push
code!
No problem, we’ll
compile from
source and build
your containers!
37. MOVING FROM DIY KUBERNETES
We already use K8s,
and have kubectl in
a lot of scripts and
automation Not a problem -
OpenShift is Certified
Kubernetes, kubectl
works fine
38. MANAGING KUBERNETES RESOURCES
So what do I do
with my K8s
manifests?
I’d suggest treating
it like source code,
and promoting
versions through
SDLC
39. OCP cluster
39
MANAGING KUBERNETES RESOURCES
myapp-dev myapp-test12345 myapp-prod
bc
Build and deployment
resources
Just deployment
resources
Externalised config
(ConfigMaps)
provides runtime
context
41. CAN WE CONTAINERISE?
Tell me about your app...
App
It’s a Tomcat app
Check ✔
It connects to an external MS SQL DB
Check ✔
We use the ODBC Java driver
Err, OK, Check ✔
The driver authenticates using Kerberos
Che.., wait, what?
42. WHAT DO YOU DO TODAY?
...and can we replicate this?
Server
Tomcat
App
cron
kinit
43. OPTION 1: BUILD INTO CONTAINER
RunBuild
base
middleware
common
krb5 client
app
Vendor
certified &
supported
Internally
supported
App team
supported
Application
Container Layers
FROM common
RUN install krb5-client
ADD init-conf
/etc/myinit
ADD kinit-refresh /
VOLUME [“/keytab.here”]
VOLUME [“/config.here”]
ENTRYPOINT
[“/sbin/myinit”]
pid: 1
pid: 3
myinit
kinit-refresh
app
pid: 2
44. PREFERRED: USE SIDECAR PATTERN
RunBuild
base
middleware
common
app
Vendor certified &
supported
Internally supported
App team supported
Application
Container Layers
FROM common
RUN install krb5-client
myinit
ADD kinit-refresh /
VOLUME [“/keytab.here”]
VOLUME [“/config.here”]
ENTRYPOINT
[“/kinit-refresh”]
base
common
kinit-refresh
Vendor certified &
supported
Internally supported
Krb5 team supported
Application Pod
kinit-refresh
Container Layers
app
kinit-refresh
shm
45. ARCHITECTURAL SPIKE
What is the bare minimum needed to develop & test this feature?
Demonstrate that we can obtain a kerberos token, and pass to app container
1) Kerberos server ‘test harness’ - part of test stack
2) Test application - just needs to demonstrate a valid token, e.g. klist
3) Side-car authentication container
Just enough: prove & test the architecture
46. KERBEROS TEST SERVER
Run
Build
base
common
krb5-server
Vendor certified &
supported
Internally supported
Krb5 team supported
KDC Runtime
KDC Pod
KRB5 Server
Container Layers
kdc
kadmind
shm
See: https://github.com/edseymour/kinit-sidecar/tree/master/example-server
48. TEST SCRIPT
1. Provision the kdc server application
2. Provision the test app with kinit-sidecar
3. Runs the kadmin command line to create a new example principal and obtain its
keytab
4. Show the logs of the example application, which is defined to list active
tokens. If the process works, a new active token should be displayed within a
few seconds.
See: https://github.com/edseymour/kinit-sidecar/tree/master/openshift
49. KUBERNETES CHANGED HOW WE SOLVED THE PROBLEM
v1.2
Separation of
Concerns
Promoting Reuse
Independent
Release Cadence
50. ELIF
So much, so complicated!
I can see it looks like that, but not really...
Software design now maps to run-time
Common features are moving out of apps...
...and into standard, supported services
You get to focus on the app!
We’re reducing software delivery risks
51. 51
● Services Mesh! (Istio)
● Serverless!
Check out this great blog “Microservices in the Post-Kubernetes Era”
https://www.infoq.com/articles/microservices-post-kubernetes
Free books!
https://developers.redhat.com/search/?f=type~book
More!