Kyle Bassett's from @ Arctiq (www.arctiq.ca) Presentation from the Halifax DevOps Meet-up on July.19th - 2017.
Linux Container Platform on Azure
(Kubernetes, OpenShift, Ansible Automation)
Pipeline Automation
(From Code to Containers, Automated CI / CD on Azure
1. Linux Container Platform on Azure
(Kubernetes, OpenShift, Ansible Automation)
Pipeline Automation
(From Code to Containers, Automated CI / CD on Azure
//Halifax DevOps Meetup Kyle Bassett - July 19, 2017
//thanks to
2. //today’s expedition
//Introductions
Who is Arctiq?
Docker to Docker Inc to OCI to Kubernetes to OpenShift
Ansible / Ansible Tower - What is it? What can it do?
Why Azure, What services are we using?, Why?
//Demo’s
Azure Infrastructure Automation via Ansible Tower
OpenShift Container Platform Build via Ansible
A quick look into OpenShift Compute Platform
Continuous Delivery and CI/CD Pipeline Automation
//Social Stuff
Open Discussion
Beer !!!
5. //arctiq’s focus - mvp and business value
Trending, Visibility,
and Feedback Loops
Security Hardening
and Access Management
Automation
and Orchestration
Standardization, Hardened Imaging,
Centralized Management, and Audit Reporting
DEVELOPERS
Self-Service
Managed Container Platform
Fail-Fast + Fix-Fast Mindset
Freedom to Focus on
Development
THE BUSINESS
Time-to-Market Advantages
Operational Efficiencies
Quality Software
Speed and Agility
IT OPERATIONS
Standardized Frameworks
Automated Repeatable Tasks
Simplified Infrastructure
Improved Security
6. //docker 101
● Docker is a software technology providing containers
● Promoted by the company Docker Inc.
● Docker provides an additional layer of abstraction and automation of
operating-system-level virtualization on Linux and Windows.
● Docker uses the resource isolation features of the Linux kernel such as cgroups and
kernel namespaces, and a union-capable file system such as OverlayFS and others
● This allows independent "containers" to run within a single Linux instance, avoiding
the overhead of starting and maintaining virtual machines.
8. //docker vs docker inc
● Docker is an open source software platform to create, deploy and manage virtualized
application containers on a common operating system (OS), with an ecosystem of
allied tools.
● https://mobyproject.org/
● Docker Inc. - the company that originally developed Docker, supports a commercial
edition and is the principal sponsor of the open source tool.
9. //docker vs open container initiative
Mission Statement
● The mission of the Open Container Initiative (OCI) is to promote a set of common, minimal, open standards and specifications
around container technology
Governing principles of the OCI?
● Technology leadership
● Influence through contribution
● Limited scope, limited politics
● Minimalist structure
● Representative leadership
● Adherence to anti-trust regulations
Why?
● Not bound to higher level constructs such as a particular client or orchestration stack,
● Not tightly associated with any particular commercial vendor or project, and
● Portable across a wide variety of operating systems, hardware, CPU architectures, public clouds, etc.
10. //we need more
Scheduling
Decide where to deploy containers
WE NEED MORE THAN JUST CONTAINERS
Lifecycle and health
Keep containers running despite failures
Discovery
Find other containers on the network
Monitoring
Visibility into running containers
Security
Control who can do what
Scaling
Scale containers up and down
Persistence
Survive data beyond container lifecycle
Aggregation
Compose apps from multiple containers
12. //kuberneres 101
WHAT DO I GET WITH KUBERNETES?
Kubernetes satisfies a number of common needs of applications, such as:
● co-locating helper processes, facilitating composite applications and preserving the
one-application-per-container model
● mounting storage systems
● distributing secrets
● application health checking
● replicating application instances
● horizontal auto-scaling
● naming and discovery
● load balancing
● rolling updates
● resource monitoring
● log access and ingestion
● support for introspection and debugging
● identity and authorization
24. //but operations needs tools
OPERATIONAL & PLATFORM REQUIREMENTS
NETWORKING
IMAGE REGISTRY
ENTERPRISE SUPPORT & INSURANCE
APPLICATION SERVICES
METRICS & LOGGING
LIFE CYCLE MANAGEMENT
SELF SERVICE & API’S
25. //and then there’s more and more...
OK - WHAT ELSE?
Routing & Load Balancing
Multi-tenancy
CI/CD Pipelines
Role-based Authorization
Capacity Management
Chargeback
Vulnerability Scanning
Container Isolation
Image Build Automation
Quota Management
Teams and Collaboration
Infrastructure Visibility
Training & Education
26. //openshift 101
SELF-SERVICE
APP SERVICES
APP LIFECYCLE MGMT
METRICS AND LOGGING
NETWORK
Bring your
own PaaS
physical
virtual
private cloud
any
public cloud
>
=
IDE Integration
Enterprise Support
28. //Namespaces Explained
Namespaces - Project Isolation
● Kubernetes supports multiple virtual clusters
backed by the same physical cluster. These virtual
clusters are called namespaces.
● Namespaces are intended for use in environments
with many users spread across multiple teams, or
projects. For clusters with a few to tens of users,
you should not need to create or think about
namespaces at all. Start using namespaces when
you need the features they provide.
● Namespaces provide a scope for names. Names
of resources need to be unique within a
namespace, but not across namespaces.
● Namespaces are a way to divide cluster resources
between multiple uses (via resource quota).
29. //Eco-system of tooling example
PHYSICAL
SERVERS
VIRTUAL
SERVERS
PRIVATE
CLOUD
PUBLIC
CLOUD
MANAGED
SERVICE
IDM
Security Tools
Developer ToolsInfrastructure
Automation
Bring your own PaaS
Infrastructure
Identity Ops Tooling
31. //ansible for everyone
SIMPLE POWERFUL AGENTLESS
App deployment
Configuration management
Workflow orchestration
Orchestrate the app lifecycle
Human readable automation
No special coding skills needed
Tasks executed in order
Get productive quickly
Agentless architecture
Uses OpenSSH & WinRM
No agents to exploit or update
More efficient & more secure
32. //how ansible works
ANSIBLE’S AUTOMATION ENGINE
ANSIBLE PLAYBOOK
PUBLIC / PRIVATE
CLOUD
CMDB
USERS
INVENTORY
HOSTS
NETWORKING
PLUGINS
API
MODULES
34. //azure + ansible
Requirements Authentication Variables
● Active Directory
Username/Password
● Service Principal Credentials
Using the Azure Resource Manager
modules requires having Azure
Python SDK installed on the host
running Ansible.
$ pip install "azure==2.0.0rc5"
Specify in $HOME/.azure/credentials
● AZURE_CLIENT_ID
● AZURE_SECRET
● AZURE_SUBSCRIPTION_ID
● AZURE_TENANT
35. //azure modules
● azure - create or terminate vm in azure
● azure_rm_deployment - create or destroy ARM
template deployments
● azure_rm_publicipaddress - Manage Azure Public IP
Addresses
● azure_rm_publicipaddress_facts - Get public IP facts
● azure_rm_resourcegroup - Manage Azure resource
groups
● azure_rm_storageaccount - Manage Azure storage
accounts
37. //ansible tower
CONTROL
SIMPLE POWERFUL AGENTLESS
KNOWLEDGE DELEGATION
TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE.
AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.
Scheduled and
centralized jobs
Visibility and
compliance
Role-based access
and self-service
Everyone speaks the
same language
Designed for
Multi-tier deployments
Predictable, reliable,
and secure
38. //what is ansible tower?
Ansible tower is an enterprise
framework for controlling, securing
and managing your Ansible automation
– with a UI and RESTful API.
• Role-based access control keeps
environments secure, and teams efficient.
• Non-privileged users can safely deploy
entire applications with push-button
deployment access.
• All Ansible automations are centrally
logged, ensuring complete auditability
and compliance.
39. //automate everything
USE CASES
USERS
ANSIBLE
PYTHON CODEBASE
OPEN SOURCE MODULE LIBRARY
PLUGINS
CLOUD
AWS,
GOOGLE CLOUD,
AZURE …
INFRASTRUCTURE
LINUX,
WINDOWS,
UNIX …
NETWORKS
ARISTA,
CISCO,
JUNIPER …
CONTAINERS
DOCKER,
LXC …
SERVICES
DATABASES,
LOGGING,
SOURCE CONTROL
MANAGEMENT
TRANSPORT
SSH, WINRM, ETC.
AUTOMATE
YOUR ENTERPRISE
ADMINS
ANSIBLE CLI & CI SYSTEMS
ANSIBLE PLAYBOOKS
….
ANSIBLE
TOWER
SIMPLE USER INTERFACE TOWER API
ROLE-BASED
ACCESS CONTROL
KNOWLEDGE
& VISIBILITY
SCHEDULED &
CENTRALIZED JOBS
CONFIGURATION
MANAGEMENT
APP
DEPLOYMENT
CONTINUOUS
DELIVERY
SECURITY &
COMPLIANCE
ORCHESTRATIONPROVISIONING
52. //continuous deployment workflow
● Each commit drives a build & deployment create a
“baked” application container in the registry in the
development project / environment (S2i example)
● Upon success the application container is pulled from the
development project and deployed into the Testing / QA
project / environment
● Think how we handle war’s and jar’s today, we manage
the compiled artifact. The container image is the new
artifact and we utilize the same governance processes
that exist today.
● This workflow can extend to production by introduction of
the required enterprise controls.
● The only way to get code into
production is to start in Dev > QA > ...