OpenShift Enterprise

a Containerized Application Platform

@SamuelTerburg
OpenShift “Specialist” Solution Architect
March 2016
 Agenda

• Docker
• Kubernetes added-value
• OpenShift added-value
• Demo
• Q&A
Container Technology
- Docker
 Docker Registry
Images & Containers Image A Image B
App A App B
Libs A Libs B
Jboss-EAP
JDK
RHEL

●Docker “Image” docker pull <image> Container Container Container

• Unified Packaging format
• Like “war” or “tar.gz” APP A APP B APP C
• For any type of Application Image Image Image
• Portable
Docker Engine
●Docker “Container”
Host Minimal OS
• Runtime
• Isolation Hardware

RED HAT OPENSHIFT ENTERPRISE 4

 Evolution

Traditional
shared
Virtual
system isolation
Container
process isolation

APP A APP B APP C Container Container Container

APP A APP B
LIBS A LIBS B LIBS C APP A APP B APP C
LIBS A LIBS B LIBS.. Guest OS Guest OS Guest OS LIBS A LIBS B LIBS C
Host OS Hypervisor Host Minimal OS
Hardware Hardware Hardware

RED HAT OPENSHIFT ENTERPRISE 5

 Isolation, not Virtualization

• Kernel Namespaces
• Process
• Network
• IPC
App1 App2 App3 • Mount
• User

• Resource Limits
• Cgroups
Linux Kernel • Security
• SELinux

RED HAT OPENSHIFT ENTERPRISE

Container Orchestration
- Kubernetes
We need more than just packing and isolation
Kubernetes – Container Orchestration at Scale
Greek for “Helmsman”; also the root of the word “Governor” and “cybernetic”

• Container Cluster Manager

- Inspired by the technology that runs Google

• Runs anywhere
- Public cloud
- Private cloud
- Bare metal

• Strong ecosystem
- Partners: Red Hat, VMware, CoreOS..
- Community: clients, integration
 Visitor
Logging
Core Concepts ELK Kubernetes Cluster
Router

Registry
Service
• Pod Image
•

• Labels & Selectors Master Pod

Replication Pod
•
Controller Pod
• ReplicationController
•
Dev/Ops API Node Node
• Service etcd
•

• Persistent Volumes SkyDNS

•
Volume
Policies
Storage
Node
 Pods

POD Definition:
• Group of Containers
• Related to each other
• Same namespace
• Emphemeral

Examples:
• Wordpress
• MySQL
• Wordpress + MySQL
• ELK
• Nginx+Logstash
• Auth-Proxy+PHP
• App + data-load
 Replication Controller Kubernetes Cluster
• Pod Scaling
kind: ReplicationController
metadata: • Pod Monitoring
name: nginx • Rolling updates
spec:
replicas: 2
selector: Master
app: nginx Replication
template: Pod Pod
Controller
metadata:
name: nginx Dev/Ops API Node Node
labels:
app: nginx
spec: “nginx” etcd
RC Object
containers:
- name: nginx
image: nginx:v2.2
ports: Node
- containerPort: 80

# kubectl create –f nginx-rc.yaml

 Visitor
Service Kubernetes Cluster

172.16.0.1:3386
DB
db.project.cluster.local
Service Definition:
• Load-Balanced Virtual-IP (layer 4)
• Abstraction layer for your App PHP
• Enables Service Discovery
MySQL
• DNS MySQL
• ENV 10.1.0.1:3306
<?php 10.2.0.1:3306
mysql_connect(getenv(“db_host”))
Examples: mysql_connect(“db:3306”)
• frontend ?>
• database
• api
 3. Update
Service Rule
Redirect

- apiVersion: v1
kind: Service 2. Watch
metadata: Changes
labels: Kube Kube
IPTables IPTables
Proxy Proxy
app: MySQL
role: BE Master PHP
1. Create
phase: DEV Object
name: MySQL MySQL
MySQL
spec: 10.1.0.1:3306
ports: Dev/Ops API 10.2.0.1:3306
- name: mysql-data
port: 3386 “DB” etcd
Service Object
protocol: TCP
targetPort: 3306 SkyDNS
selector:
2. Watch Node
app: MySQL 1. Register
Changes
role: BE Pod Object
sessionAffinity: None 3. Register
type: ClusterIP Service
 Labels & Selectors
think SQL ‘select ... where ...’ Role: BE
- apiVersion: v1 - apiVersion: v1
kind: Service kind: Pod
Service
metadata: metadata: Role: FE
labels: labels: Phase: Dev
app: MyApp app: MyApp
role: BE role: BE Pod
phase: DEV phase: DEV
name: MyApp Pod
name: MyApp Pod
spec:
ports: Role: BE
Phase: TST Role: BE
- name: 80-tcp
Phase: DEV
port: 80
protocol: TCP
targetPort: 8080
selector:
app: MyApp
role: BE
sessionAffinity: None
type: ClusterIP
 Visitor
Ingress / Router
apiVersion: Router https://mysite.nl/service1/
extensions/v1beta1
kind: Ingress 172.16.0.1:3386
metadata: Service
db.project.cluster.local
• Router Definition: name: mysite
• Layer 7 Load-Balancer / spec:
Reverse Proxy rules:
PHP
- host: www.mysite.nl
• SSL/TLS Termination http: MySQL
• Name based Virtual Hosting paths: MySQL
• Context Path based Routing - path: /foo 10.1.0.1:3306
10.2.0.1:3306
• Customizable (image) backend:
serviceName: s1
• HA-Proxy
servicePort: 80
• F5 Big-IP - path: /bar
backend:
Examples: serviceName: s2
servicePort: 80
• https://www.mysite.nl/myapp1/
• http://www.mysite.nl/myapp2
 Persistent Storage kind: PersistentVolume Kubernetes Cluster
metadata:
name: pv0003
for Ops: spec:
• Google capacity:
• AWS EBS storage: 8Gi
accessModes:
• OpenStack's Cinder - ReadWriteOnce
• Ceph nfs: Pod
path: /tmp Pod
• GlusterFS server: 172.17.0.2 Pod
• NFS
• iSCSI Node Node
kind: PersistentVolumeClaim
• FibreChannel metadata:
• EmptyDir name: myclaim
spec:
accessModes:
Volume
for Dev: - ReadWriteOnce
resources:
• “Claim” requests:
Storage
storage: 8Gi
 Persistent Volume Claim

Ops Dev
Persistent Volume Farm Projects Claim and Mount

Project: ABC
pod
5G
SSD
10G pod
Storage
Provider(s)
Project: XYZ
pod
10G
SSD
40G pod

RED HAT OPENSHIFT ENTERPRISE 23

 Networking

• Each Host = 256 IPs

• Each POD = 1 IP

Programmable Infra: Overlay Networks:

• GCE / GKE • Flannel
• AWS • Weave
• OpenStack • OpenShift-SDN
• Nuage • Open vSwitch

RED HAT OPENSHIFT ENTERPRISE

 Visitor
Logging
Hosting Platform ELK Kubernetes Cluster
Router
• Scheduling Registry
• Lifecycle and health Service
• Discovery Image
• Monitoring
• Auth{n,z} Master Pod
Replication
• Scaling Controller
Pod
Pod
Dev/Ops API Node Node

etcd

SkyDNS
Volume
Policies
Storage
Node
OpenShift as a Development Platform
• Project spaces
• Build tools
• Integration with your IDE
 We need more than just Orchestration !

Secure
Self Service
- Namespaced
-Templates
- RBAC
- Web Console
Scalable
Multi-Language - Integrated LB

Automation Open Source

- Deploy
- Build
Enterprise
DevOps - Authentication
Collaboration - Web Console
- Central Logging

RED HAT OPENSHIFT ENTERPRISE

 OpenShift
We is Red
need more Hat’s
than justContainer Application Platform (PaaS)
Orchestration

Secure
Self Service
- Namespaced
-Templates
- RBAC
- Web Console
Scalable
Multi-Language - Integrated LB

Automation Open Source

- Deploy
- Build
Enterprise
DevOps - Authentication
Collaboration - Web Console
- Central Logging

RED HAT OPENSHIFT ENTERPRISE

Kubernetes Embedded

https://master:8443/api = Kubernetes API

/oapi = OpenShift API
/console = OpenShift WebConsole

OpenShift: Kubernetes:
• 1 Binary for Master • ApiServer, Controller, Scheduler, Etcd
• 1 Binary for Node • KubeProxy, Kubelet
• 1 Binary for Client • Kubectl

• Docker-image
• Vagrant-image
 Project Namespaces
Project Project “Prod” Project “Dev” Project
• Sandboxed Environment Global Services
• Network VXLan
• Authorization Policies
APP A APP C
• Resource Quotas Image Image
• Ops in Control, Dev Freedom

App OpenShift Platform

• Images run in Containers
• Grouped together as a Service
• Defined as Template
oc new-project Project-Dev
oc policy add-role-to-user admin scientist1
oc new-app
--source=https://gitlab/MyJavaApp
--docker-image=jboss-eap
 Logging Visitor
Kubernetes ELK
Hosting Architecture Ingress
Kubernetes Cluster
Registry

Image Service

Pod
Replication Pod
Controller Pod
Dev/Ops API Node Node

etcd

SkyDNS
Volume
Policies
Storage
Master
 Logging
OpenShift Visitor
EFK
PaaS Architecture OpenShift Cluster
Router
Registry
• Added “Build”
• Added “Deployment” Build Image Service
• s/ELK/EFK/g config
• s/Ingress/Router/g
Deploy
• Added Policies + tools Pod
• Added WebConsole Replication Pod
Controller Pod
Web
Dev/Ops API Node Node
Console
• OpenShift-SDN isolation etcd

SkyDNS
Volume
Policies
Storage
Master
 Logging
OpenShift Visitor
EFK
Build & Deploy Architecture OpenShift Cluster
kind: "BuildConfig“ Router
metadata: Registry
name: “myApp-build“
spec: Build Image Service
source:
type: "Git“ config
git:
uri: "git://gitlab/project/hello.git“ Deploy
dockerfile: “jboss-eap-6“ Pod
strategy:
Replication Pod
type: "Source“
sourceStrategy: Controller Pod
from:
kind: "Image“ Dev/Ops API Node Node
name: “jboss-eap-6:latest“
output:
to: etcd
kind: “Image“
name: “myApp:latest“ SkyDNS
triggers:
- type: "GitHub“ Volume
github: Policies
secret: "secret101“ Storage
- type: "ImageChange“ Master
# oc start-build myApp-build
 Can configure triggers for
automated deployments,

Build & Deploy an Image SCM

builds, and more.

Code
Builder Images
• Jboss-EAP Developer
• PHP
• Python
• Ruby Source
• Jenkins
Customer
Build 2
• Image Builder
• C++ / Go
Image
• S2I (bash) scripts

Triggers Can configure different

deployment strategies
Image Change (tagging)
•

• Code Change (webhook)

Deploy Container Image like A/B, Rolling upgrade,
Automated base updates,
and more.
• Config Change
 Logging
OpenShift Visitor
EFK
Build & Deploy Architecture OpenShift Cluster
kind: “DeploymentConfig“ Router
metadata: Registry
name: “myApp“
spec: Build Image Service
replicas: 2
selector:
app: nginx
template: Deploy
metadata: Pod
name: nginx
Replication Pod
labels:
app: nginx Controller Pod
spec:
containers: Dev/Ops API Node Node
- name: nginx
image: nginx:latest
ports: etcd
- containerPort: 80
triggers: SkyDNS
- type: "ImageChange“
from: Volume
kind: “Image” Policies
name: “nginx:latest Storage
Master
# oc deploy myApp --latest
Continuous Integration Pipeline example
registry
commit webhook ImageChange
Source Build Deploy
:test container registry
:test
Deploy Test Tag
:test-fw :uat
ImageChange ITIL registry
Deploy Approve Tag
:uat :prod
ImageChange
Deploy
:prod

RED HAT OPENSHIFT ENTERPRISE

Template
apiVersion: v1 apiVersion: v1 Router
kind: List kind: Template
Items: metadata:
- apiVersion: v1 name: redis-template Service
kind: Pod annotations:
… description: "Description“
- apiVersion: v1 iconClass: "icon-redis“
kind: Service tags: "database,nosql“
… objects: PHP
- apiVersion: v1
Kubernetes kind: Pod MySQL
… MySQL
curl –s https://get.helm.sh | bash parameters:
- description: Password
helm update from: '[A-Z0-9]{8}‘
helm search redis generate: expression
helm install redis name: REDIS_PASSWORD
labels:
redis: master

Deis Helm OpenShift

Demo
 Setup
yum install docker-engine

docker run openshift/origin

curl –s https://get.helm.sh | bash

helm update
 Setup
yum install docker-engine

docker run openshift/origin

-d --name "ose" --privileged --net=host --pid=host \
-v /:/rootfs:ro \
curl –s-vhttps://get.helm.sh
/var/run:/var/run:rw| bash
\
helm update
-v /sys:/sys:ro \
-v /var/lib/docker:/var/lib/docker:rw \
-v /var/lib/origin/openshift.local.volumes:/var/lib/origin/openshift.local.volumes:z \
-v /var/lib/origin/openshift.local.config:/var/lib/origin/openshift.local.config:z \
-v /var/lib/origin/openshift.local.etcd:/var/lib/origin/openshift.local.etcd:z \
openshift3/ose start \
--master="https://${OSE_MASTER_IP}:8443" \
--etcd-dir="/var/lib/origin/openshift.local.etcd" \
--hostname=`hostname` \
--cors-allowed-origins=.*

curl –s https://get.helm.sh | bash

helm update
 Setup Client
yum install
docker –entrypoint=cat openshift/origin /usr/bin/oc >/usr/local/bin/oc
run docker-engine

ln –s /var/lib/origin/openshift.local.config/admin.kubectl
docker run openshift/origin ~/.kubectl

curl –s https://get.helm.sh | bash

helm update
 OpenShift's Added Value

OpenShift User Experience

Build
- Idm (LDAP,SSO)
Enterprise - Web-Console
- JBoss xPaas images
Enterprise Management & Integration - Eclipse & Jenkins integrations
- Router
- Logging & Metrics
Container Development - SDN

Kubernetes Container orchestration Deploy

Docker Container runtime environment Run

Atomic Minimal OS Host

RED HAT OPENSHIFT ENTERPRISE 50

 Our JBoss Middleware xPaas Service Catalog

Application Integration Business Mobile

Container Services Services Process Services Services

• JBoss EAP • Fuse • Business Process • Red Hat Mobile /

• JBoss Web Server / • A-MQ Management * FeedHenry *
Tomcat • Data Virtualization • Business Rules
• JBoss Developer Studio Management System

* Coming Soon
 CloudForms Management

RED HAT OPENSHIFT ENTERPRISE

 RED HAT CLOUD SUITE FOR APPLICATIONS
Cloud Management – Alternative Virtualization – OpenStack – Containers – Development

RED HAT OPENSHIFT ENTERPRISE

 Questions?
plus.google.com/+RedHat facebook.com/redhatinc

nl.linkedin.com/in/samuelterburg twitter.com/SamuelTerburg

youtube.com/user/RedHatVideos

RED HAT OPENSHIFT ENTERPRISE