Embed Size (px)
Citation preview
AOS Product Management TeamApril 2017
OpenShift 2H CY 17 Roadmapand Red Hat Summit Preview
Gov of British ColumbiaGovTech Singapore
ThyssenkruppLa Poste Courrier
Volvo CarsDisneyPixar
MicrosoftDeutsche Bank
Amadeus
KeyBankAmadeusBarclays
Schiphol AirportMicrosoftGoogle
Macquarie BankAtpco
Point72Swiss Railways
CiscoComputer Associates
La Poste CourrierMass General Hospital
Partners HealthcareInmarsat
Macquarie BankOptum
Deutsche BankMiles & More
BMWSkyTVVerizon
UNC-Chapel HillIntel
SonaTypeEnterpriseDB
Big Switch NetworksTremolo Security
HPEGoogle
MicrosoftGitLab
JFrogRedi Labs
Avi NetworksUniva
HAProxyCloudBees
SysDigDXC
IntelF5
DynatraceJuniper Networks
NetAppNGINXNuage
VMware NSX
AWSCollabNetAporeto
Black MeshAccenture
WiproVizuri
DLT Solutions
OpenShift Integrated Solutions & Services
Digital Shift in Action
MONDAY TUESDAY WEDNESDAY THURSDAY
https://summit.openshift.com
MONDAY, MAY 1: OPENSHIFT COMMONS GATHERING
4
● MACQUARIE BANK● ATPCO● POINT72● SWISS FEDERAL RAILWAYS● CISCO● CA TECHNOLOGIES● LA POSTE● MASS GENERAL HOSPITAL● INMARSAT
Agenda
SOLD OUT - Waitlist only
RED HATPAUL CORMIEREVP + PRESIDENT, PRODUCTS / TECHNOLOGIES
How the growing digital footprint and rapid adoption of hybrid and multi-cloud environments challenge us to better integrate and unify our technology tools, data, devices, software, practices, and processes.
KEYNOTE FLOW: ● Paul, Demo 1, Luis Uguina, Macquarie Bank (IA WINNER)● Paul, Demo 2, John Hodgson, Optum ● Paul, Demo 3, Kieran Broadfoot, Barclays (IA WINNER)
Tuesday, May 2 Day 1 keynote (morning)
DEUTSCHE BANKPAT HEALEY CTO
As one of the key components of the Strategy 2020 vision outlined by John Cryan, DB’s CEO, in November 2015, the “Everything as a Service” Programme is transforming the way that the bank’s applications are built, managed and hosted. Their PaaS roadmap is one of the key deliverables of the programme. It has an ambitious and publicly announced target of managing 85% of the bank’s workloads by 2020 which will dramatically reduce our costs and provide a much more flexible and scalable solution. Tools such as OpenShift, Ansible and Fuse allows us to build a robust and efficient development pipeline enabling ideation to production in a day with zero touch deployment across all environments.
Tuesday, May 2Day 1 keynote (afternoon)
GOOGLEKELSEY HIGHTOWER and SAM RAMJIGoogle Cloud Platform
Still in progress
KEYNOTE FLOW: ● Still in progress
Tuesday, May 2 Day 1 keynote (afternoon)
RED HATJIM WHITEHURSTCEO
No one can predict the future. The world is accelerating faster than anyone can wrap their head around. You also can’t plan your way into an uncertain future; planning is dead. The only way we can keep pace with change is to build capabilities to react and adapt to them by embracing a mindset of try, learn, and modify – and working bottom up instead of top down.
KEYNOTE FLOW: ● Jim opening● Peter Watkins, Government of British Columbia (IA WINNER) ● Mark Lim, Gov Tech, Singapore Government ● EasierAG, demo, Open Innovation Labs ● Jim closing
Wednesday, May 3 Day 2 keynote (morning)
MICROSOFTJULIA WHITEVP Azure and Security Marketing
Still in progress
KEYNOTE FLOW: ● Still in progress
Thursday, May 4 Day 3 keynote (afternoon)
KEYBANK
As with many large companies, KeyBank found that application delivery resulted in complexity growth over time, with slow manual testing, quarterly release cycles and outages resulting in poor Mean-to-time-Resolution (MTTR). KeyBank recently went cloud-native and built a DevOps practice while using Red Hat OpenShift Container Platform. KeyBank's DevOps team wanted to embrace an approach that also provided greater security for customer information.
Thursday, May 4 Day 3 keynote (afternoon)
JOHN RZESZOTARSKIDirector of DevOps
11
Breakout Sessions
KEY FEATURES 2H CY2017+DEEP DIVE
OpenShift Container Platform - Key Initiatives
● Containers & RHEL ● Container Security● OpenShift UXD● Service Broker / Catalog● Kubernetes Federation● Workload Diversity● DEVaaS and Free Tier
Lots of Other Important Deliverables...● JBoss Middleware on OpenShift● CI / CD Pipelines (Jenkins)● Build Automation (S2I & integration)● Container Management (CloudForms CM-OPS)● Networking (SDN & Routing)● Storage (Plugins & Container Native Storage)● Registry (Atomic Registry & 3rd party)● Metrics (Hawkular and Prometheus)● Logging (EFK)● Security (Authentication/Authorization, SSO, Certificates, Secrets, etc.)● RHEL.next● Infrastructure Services (Virt, Openstack, Mgt...)● Segmentation● Provider Specific Installs● Spark and Data Services
RED HAT ENTERPRISE LINUX
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
CONTAINER RUNTIME & PACKAGING(DOCKER)
ATOMIC HOST
Trusted Container OSContainers Depend on Linux
● Containers are foundational to the evolution of RHEL.
● Our container engine is carefully integrated and versioned with RHEL and OpenShift.
● Regardless of community naming and project structure, a fully supported container engine will remain in RHEL
RHEL is the Container Engine
HOST OS
CONTAINER
OS
RUNTIME
APP
Atomic Host is Container-Optimized Linux The container host for the Enterprise.● Security
○ Inherited from RHEL○ Read-only binaries.○ Small footprint, small attack surface
● Out-of-band updates○ Roll forward / roll back○ RPM package layering
● Performance○ Network & storage optimizations
● Manage at scale○ Leverage existing tools (Satellite,
Ansible, kickstart)
Container Host Improvements - Coming in 7.4
● New Containerized Content
● “Init” base images for RHEL6 & RHEL7
● Docker system container
● Storage a security improvements
● User namespaces - full support● SELinux support with OverlayFS● overlay2 graph driver - full support
● Increasing the flexibility of rpm-ostree deployments● Custom partitioning options● Full support for package layering● Livefs - Tech Preview
Red Hat Enterprise Linux RHEL Atomic Host
6. Container Platform 7. Network Isolation8. Storage9. API Management
10. Federated Clusters
1. Container Host & Multi-tenancy2. Container Content3. Container Registries4. Building Containers5. Deploying Containers
SECURING CONTAINERS: 10 LAYERS OF SECURITY
10 Layers of Container Security Presentation
RED HAT ENTERPRISE LINUX
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRYLOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT(KUBERNETES)
ATOMIC HOST
CONTAINER RUNTIME & PACKAGING(DOCKER)
Clustered Container InfrastructureApplications Run Across Multiple Containers & Hosts
OCP 3.6 Work ● SELinux on/off● Taints and Tolerations● GPU/NUMA Design Proposal Finalized● imageTrigger for job controller● Autoscaling based on custom metrics● Cluster Capacity Tool● Registry Endpoint for handling image signatures● Etcd Security Encryption● User Namespace● Registry Metrics● CNS Backed Registry during Install● System Container: installer, etcd, docker daemon● Control cert expiry across the cluster● Pre-req Automation during installation● Complete Online Ops Ansible Merger● FlexVolume Interface Update● StorageClass Quotas● StorageClasss ACLs● CephFS Support● AWS EFS Dynamic Storage Provisioner● Multipath iSCSI support● CNS Gluster Block● CNS Brick Multiplexing for increased # of PVs
Storage
Cluster LifeCycle
Cluster Infrastructure
Platform Management
Scan SourcesRed Hat Container Catalog Red Hat Insight for Containers Red Hat CloudForms w/ OpenSCAP
24x7 RHEL CVE Vulnerability Scanning of running pods with OpenShift policy triggers on annotated images.
Connected customer inflight analysis of known vulnerability and configuration issues for container hosts.
Curated content that is keep up to date against critical CVEs & product updates across the operating system and application layers.
Scan in ActionRed Hat Container CatalogRegistry
OpenShift Registry
Running Pods
=OpenShift Registry
CloudFormsImage-Introspection
OpenSCAP
Image Violation
Image Annotation
OpenShift Admission Controller
Running Pods
Signing
GPG Keyringpolicy.json
Signed OpenShift Node
OpenShift Registry
image-auditor rolegpg2 --gen-keyatomic push --sign-byoc adm verify-image-signature
Cluster Admin
Unsecure Container
Ansible for Key Propagation
OpenShift NodeTenant
Select from ContentimageStreams
templatesimages
if/then
sandboxProject
productionProject
nodeLabelSelector
nodeLabelSelector
1
2
3
1
Tenant Usage StepsCluster Admin Setup Steps
23
Current Practice 1: Complex Infrastructure Deployment● Super Low Latency Mesh Fabric● Dedicated Fiber Lines● One Overlay Network
● VPN/VPC Specialized Equipment● No traffic localization ● Cross Datacenter chatter
Datacenter 1 GEO Alpha Datacenter 2 GEO Beta
Global Server Load Balancer (GSLB)
Datacenter 1 GEO Alpha Datacenter 2 GEO Beta
Independent App Instances
Independent App Instances
File/Block Storage Replication and S3 End Points
● Independent and duplicate Application Instances across datacenter
● GEO Scale for Critical Apps● Multi-Site Redundancy and DR● Performance via localization of traffic● Policy and Site control at the GSLB
layer● Site re-direction for availability● IP proximity of client to datacenter
Current Practice 2: Common Application Deployment
Kubernetes Federation: Apply the App to the Infrastructure
UI
CLI
API
Control Plane ServersUsers
containerscontainers
containerscontainers
containers
containerscontainers
containerscontainers
containers
containerscontainers
containerscontainers
containers
Cluster / Data Center / Availability ZoneG
lobal Server Load B
alancer (GS
LB)
Federation Timeline
● Gradual Introduction to OpenShift○ Target single public cloud providers first
■ (1) GCE, AWS, Azure■ (2) Cross public cloud■ (3) Private Cloud
○ Cross or hybrid cloud providers● First Kube Primitives, then OpenShift API objects
○ (1) Likely not to be multi-tenant, limited global AUTH, just deployments, stateless at first
○ (2) Then add in Projects, deploymentConfigs, etc
Tech Preview OCP 3.7
OCP 3.8 -- OCP 3.9
Tech Preview OCP 3.7
OCP 3.8 -- OCP 3.9
Cloud Native Ordinal Services Low Latency Off Platform Services
● NUMA● Device Passthrough● sysctl support● network separation● sequenced startups● SELinux Control● non-VXLAN● multi-home pods● kernel modules● hugepages
● classic clusters● storage to
instance pairing● local storage● IP/Hostname
tolerance● Leader Election● HA Pods
● Service Broker● Metering● Variable Propagation● Service Linking● Service Discovery● Service Permission
● Replication Control● PV assignment● Autoscale● DaemonSet● podSpec● Templates● Spring/JDK● Circuit Breaker● Java Platform Classes
No Avoiding Diverse Workload Requests
30
Current Work for Performance-Sensitive Application
Performance-Sensitive Application
Performance-Sensitive Application
Performance-Sensitive Application Pod
Feature FSI NFV ISV BD/ML ANIM HPC
NUMA (cpuset.cpus and cpuset.mems) Yes Yes Yes Maybe Maybe Yes
Device Passthrough (NIC and Disk) Yes Yes Yes Maybe Maybe Yes
Sysctl Support (non-namespaced too) Yes Yes Yes Yes Yes Yes
Separation of control- and data-plane Yes Yes Yes Yes Yes Yes
Generic “counted resource” model (i.e. GPU) Yes Yes Maybe Maybe Yes Maybe
Sequenced Pod Startups Yes Yes Maybe Maybe Maybe Maybe
Node “fitness” (extended health info) Yes Yes Maybe Maybe Maybe Yes
31
...continued
Feature FSI NFV ISV BD/ML ANIM HPC
SELinux control (label=disable) Yes Yes Maybe Maybe Maybe Maybe
Non-VXLAN solutions Yes Yes Maybe Yes Yes Yes
Multi-homed pods Yes Yes Maybe Yes Yes Yes
Reference Architectures Yes Yes Yes Yes Yes Yes
Kernel Module loading/verification (DKMS-ish) Yes Yes Maybe Maybe Maybe Maybe
Use-case Documentation Yes Yes Yes Yes Yes Yes
Hugepages Yes Yes Yes Maybe Maybe Maybe
GPU Decision Points
Should the kubelet be the function to load device drivers and kernel modules needed by the hardware or should the container runtime?
Should we use scheduler extensions to multi-schedulers to run an additional scheduler that processes the attributes coming from the custom isolator?
● Network Policy● stability● performance● UX● GA (targeted)
● egress● DNS names for firewall● namespace-wide single source IP● HTTP proxy mode
● Research on OVN as replacement for part of openshift-sdn (not OVS)
● Support IPv6 terminated at the router with internal IPv4
● Router template documentation● format and annotation use
● More work on ingress● Multi-network Pods
● NFV● cluster/mgmt traffic
● Cluster IP range enhancements● DPDK performance research
Networking
Tech Preview
E2E Provider Integration
OpenShift Container Platform(ocp-supplemental = 2-4 wks after GA)
3.5-ocps 3.6-ocps 3.7-ocps 3.8-ocps
AWS 3.5 3.6 - 3.8
GCE 3.5 3.6 - 3.8
VMware 3.5 3.6 - 3.8
Azure 3.51 3.6 - 3.8
OSP 3.4 (3.51) on 10
Upgrade Scenarios
3.6 on 11 3.7 on 11
1Currently in review
Reference ArchitectureImplementation Guides
Available in multiple
formats
NEW
Metrics and Logging - Prometheus
Offer Prometheus as a certified metrics engine and database.
- Develop a Reference Architecture for certified use cases
Productize, ship and Support
● Prometheus uses cases will be targeted at Web Scale DevOps
● High metric throughput● Near real-time search and
alerting● No long term storage -
integrate with Hawkular
SERVICE CATALOG(LANGUAGE RUNTIMES, MIDDLEWARE, DATABASES, …)
SELF-SERVICE
APPLICATION LIFECYCLE MANAGEMENT(CI / CD)
BUILD AUTOMATION DEPLOYMENT AUTOMATION
CONTAINER CONTAINERCONTAINER CONTAINER CONTAINER
NETWORKING SECURITYSTORAGE REGISTRYLOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT(KUBERNETES)
RED HAT ENTERPRISE LINUX
CONTAINER RUNTIME & PACKAGING(DOCKER)
ATOMIC HOST
INFRASTRUCTURE AUTOMATION & COCKPIT
OpenShift = Enterprise Kubernetes+Build, Deploy and Manage Containerized Apps
Integrated Pipeline Status
Details on Services
Project Overview
Metrics
Details on Builds
Rolled upmetrics/alerts/status
Project Overview
Filter View as: App, Resource Type,
Pipelines
Feature(s): SCL 2.4 Updates
Description: New images, updated versions and templates
New:● Node.js - 6● Nginx - 1.10● Ruby - 2.4● Ruby on Rails - 5.0● Scala - 2.10
Software Collections
Updates:● Apache HTTP Server - 2.4● Python - 2.7● Thermostat - 1.6
● Enabling consumption of Red Hat technologies as a cloud service
● Provide consistent experience and pattern for integrating services
Red Hat (as a service)
CloudForms
Very nice explanation about CloudForms and all the awesome things it can do.
Designs not final :-)
CloudForms
Very nice explanation about CloudForms and all the awesome things it can do.
Catalog services deployed on or off the platform
Specialized experiences for key offerings
Messaging as a Service
Provided by A-MQ
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Registry
Partner Content
Custom customer content
Ansible Service Broker Ansible PB Ansible PB Ansible PB
Service Catalog
Partner Service Broker
Customer Service Broker
Other OpenServiceBrokerAPI Brokers
OpenServiceB
rokerAPI
● Broker SDK written in Golang available
OpenShiftTemplate Service Broker Template Template Template
Service Broker
github.com/servicebroker/servicebroker
● General Service Broker API● Service Parameterization● Generalization and Removal of Cloud
Foundry Requirements● Binding Semantics● AUTH● Foundation for Service Catalog +
Marketplace
49
Overview
Using Ansible to Orchestrate OpenShift Services
Ansible Service Broker Ansible Playbook Bundle● Lightweight application definition
(meta-container)● Simple directory employing:
○ Named playbooks [provision, bind, …] to perform Open Service Broker actions
○ Metadata containing a list of required / optional parameters during deployment
○ Embedded Ansible runtime
● Embraces Service Catalog and Open Service Broker API concepts
● Supports:● Traditional S2I deployments● Provisioning of pre-existing images● Orchestrating off-platform (public cloud)
services● Deploying multi-service solutions
● Define, extend, and deliver “simple” to “complex” multi-container OpenShift services● Standardized approach to using Ansible to manage and provision applications● Leverage existing investment in Ansible roles/playbooks● Easy management of applications for “simple” cloud-native apps
50
Ansible Service Broker Architecture Overview
Ansible Runtime
Directory of files
Ansible Playbook Bundle
provision.yamldeprovision.yaml
bind.yamlunbind.yaml
ansibleapp.json
DeploymentRole
Service Consumer
Ansible Service Broker
Red Hat Container Catalog
Ansible Playbook Bundle
Service BrokerService BrokerService Broker
Ansible Playbook Bundle
OpenShiftService
docker run $appname $method $vars
ansible-playbook $method.yaml $vars
• catalog • provision • deprovision • bind • unbind
OpenShift Mall / Service Catalog
Example Ansible Playbook Bundles:
• ELK, Etherpad, Foreman, Galera • ManageIQ, MongoDB, PostgreSQL • Foreman, Pulp, Wordpress • External MLAB MongoDB SaaS • and more...
3.6 TP3.7 GA
Red Hat (as a service)
EAP App
A-MQQueues
TopicsJDG
Cache EndpointGluster
Distributed Storage
RH SSO
SSO...
Red Hat (as a service)
EAP App
Queues
Topics
Cache Endpoint
Distributed Storage
SSO
A-MQ
JDG
Gluster
RH SSO
...
...
53
Runtimes(Container images and Maven Artifacts)
JAVA EE(JBoss EAP)
MICROPROFILE(WildFly Swarm)
OPENSHIFT / XPAAS
REACTIVE(vert.x)
NODE.JS APACHETOMCAT
Certified Frameworks & Components(Maven Artifacts)
SPRING BOOT / CLOUD
NETFLIX OSS Ribbon
DeveloperSaaS
Generators
IDE
etc.
Management
APM
Metrics
ServiceDiscovery Config.
Logging
Health Check
Load Balancing
CI/CDSSOMessaging IMDG API Mgmt
NETFLIX OSSHysterix ...
OpenShift Application Services
PUBLIC CLOUD
● Customer dashboard for resource usage
● Encryption of data at rest
● Multi-AZ infra and compute nodes
● Dedicated on Azure
● SAML 2.0 support
● Configured and self-service backup/restore
● Self-service of cluster-wide image streams and templates
Update
Update
Includes 2 GiB RAM
Available in multiple regions
Add RAM and Storage in 1 GiB increments
Apps are idled, slept and eventually archived
Summit 2017 2017
Additional support levels
Additional regions
57
Developer Tools-aaS : OpenShift.io
QUESTIONS?
