devops with openshift - anz openshift meetup series - 2017
TRANSCRIPT
DevOps with OpenShift
Stefano Picozzi & Mike Hepburn
1. Concerned with value delivery
2. Professional empathy formed via shared sensibilities
3. Automation as actionable intervention
DevOps – The Talent Dividend
Herzberg's OpenShift
SERVICE CATALOG LANGUAGE RUNTIMES,
MIDDLEWARE, DATABASES ..
SELF-SERVICE
APPLICATION LIFECYCLE MANAGEMENT (CI / CD)
BUILD AUTOMATION DEPLOYMENT AUTOMATION
CONTAINER
NETWORKING SECURITY STORAGE REGISTRY LOGS & METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT (KUBERNETES)
RED HAT ENTERPRISE LINUX
CONTAINER RUNTIME & PACKAGING (DOCKER)
ATOMIC HOST
INFRASTRUCTURE AUTOMATION & COCKPIT
CONTAINER
CONTAINER
Motivators
Hygiene Factors
DevOps Design Dilemmas
Automation Concern
Infrastructure Application
Low
H
igh
Infrastructure as code
Containers as code
Container primitives
Enterprise Management
Operational Convenience Opportunistic Productivity
Operational Efficiency
Organizational Innovation
Where should infrastructure automation end and application automation begin?
What is the right level of abstraction?
Separation of Concerns Projects Namespaces Registry, ImageStreams Multitenancy plugin SDN Quotas Roles Playbooks ...
Self-Service for All Source to Image Templates Storage Classes Console, CLI, REST Pipelines A/B, Canary, Software Catalog Log aggregation ...
Inte
rfac
e A
bstr
acti
on
Scale Invariance
• oc cluster up, oc-cluster-wrapper, PowerShift
• Minishift
• OpenShift Online/Dedicated
• OpenStack, BareMetal/RHEL, Red Hat Atomic, VMWare, RHEV
• Red Hat CCSPs, AWS, Azure, Google, ...
oc cluster up [ using the not Docker Machine method ]
1. Install native Docker
2. Download oc client tools
3. Verify docker and xip.io resolution
4. Start with named profile
$ oc cluster up \
--public-hostname='127.0.0.1' \
--host-data-dir='$HOME/oc/profiles/$PROFILE/data' \
--host-config-dir='$HOME/oc/profiles/$PROFILE/config' \
--use-existing-config
$ oc new-app https://github.com/StefanoPicozzi/cotd.git
S2I: Source To Image
Application Artifacts
... source: type: Git git: uri: 'https://github.com/StefanoPicozzi/cotd.git' strategy: type: Source sourceStrategy: from: kind: ImageStreamTag namespace: openshift name: 'php:5.6' ...
BuildConfig
... strategy: type: Rolling rollingParams: triggers: - type: ConfigChange - type: ImageChange imageChangeParams: automatic: true containerNames: - cotd from: kind: ImageStreamTag namespace: myproject name: 'cotd:latest' ...
DeploymentConfig Service
... host: cotd-myproject.127.0.0.1.xip.io to: kind: Service name: cotd weight: 100 port: targetPort: 8080-tcp ...
Route
... ports: - name: 8080-tcp protocol: TCP port: 8080 targetPort: 8080 selector: app: cotd deploymentconfig: cotd clusterIP: 172.30.96.232 type: ClusterIP sessionAffinity: None ...
... dockerImageRepository: '172.30.188.253:5000/myproject/cotd' tags: - tag: latest items: - created: '2017-01-16T01:52:25Z' dockerImageReference: '172.30.188.253:5000/myproject/cotd@sha256:756140766ea2484110724b3ca00de159b5eb8142484b97fed639f1c63b93d53a' image: 'sha256:756140766ea2484110724b3ca00de159b5eb8142484b97fed639f1c63b93d53a' generation: 1 ...
ImageStream
Working with Storage
Create Persistent Volume Set up the Persistent Volume Claim * 1 2
$ oc login -u system:admin $ oc create -f - << EOF! apiVersion: v1 kind: PersistentVolume metadata: name: cotdvolume spec: capacity: storage: 1Gi accessModes: - ReadWriteOnce - ReadWriteMany persistentVolumeReclaimPolicy: Recycle hostPath: path: /home/johndoe/volumes EOF!
$ oc login -u developer -p developer $ oc project meetup $ oc set volume dc/pets --add \ --overwrite \ --name=images \ --type=persistentVolumeClaim \ --mount-path=/opt/app-root/src/data/images \ --claim-size=100Mi \ --claim-name=petsclaim --containers=pets
* Also using Console
A/B Deployments
Create A Application
Create the AB Route
1
3
$ oc new-app --name='cats' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cats $ oc expose service cats --name=cats
$ oc expose service cats --name='cotd' $ oc annotate route/cotd \ haproxy.router.openshift.io/balance=roundrobin $ oc set route-backends cotd cats=50 cities=50
Create B Application 2
$ oc new-app --name='cities' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cities $ oc expose service cities --name=cities
Blue Green Deployments
Create Blue Application
Switch Routes Green/Blue
1
3
$ oc new-app --name=blue \ https://github.com/devops-with-openshift/bluegreen#master $ oc expose service blue --name=bluegreen
$ oc patch route/bluegreen -p ‘{“spec:{“to”:{“name”:”green”}}}’ $ oc patch route/bluegreen -p ‘{“spec:{“to”:{“name”:”blue”}}}’
Create Green Application 2
$ oc new-app --name=green \ https://github.com/devops-with-openshift/bluegreen#green
Rollbacks
Create cats Application
Rollback & Rollforward
1
3 $ oc new-app --name='cats' \ php~https://github.com/StefanoPicozzi/cotd.git \ -e SELECTOR=cats $ oc expose service cotd --name=cotd $ oc rollback cotd --to-version=1 --dry-run
SELECTOR: cats $ oc rollback cotd --to-version=1 $ oc rollback cotd --to-version=2 $ oc set triggers dc/cotd --auto
Create cities Application 2
$ oc env dc/cotd SELECTOR=cities $ oc describe dc cotd
Canary Deployment Strategies
HAProxy Router Template Configuration
$ oc edit dc router frontend public # Custom acl # block users not in 192.168.137.0/24 network # from accessing cities host acl network_allowed src 192.168.137.0/24 acl host_city hdr(host) -i cities-cotd.192.168.137.3.xip.io acl restricted_page path_beg / http-request deny if restricted_page host_city \ !network_allowed
Users randomly directed to new version (A/B)
Users directed via route to canary application
Users directed to canary project for testing
Users directed to canary instance based on profile
Why Pipelines ?
“The Job of the deployment pipeline is to prove that the release candidate is unreleasable” - Jez Humble
What Should You Put in Your Pipeline ?
source code version control
optimum git branching strategies
static code analysis
>80% code coverage
vulnerability scanning
artifact version control
automated unit, int, performance testing
manual testing
build, deploy, test - for every commit
automated merge control
zero downtime releases
automated rollback
feature toggles
manage build and test environments on demand
Preparing your environment
Import Jenkins image streams 1
$ oc import-image --all --insecure=true --confirm -n openshift docker.io/openshift/jenkins-2-centos7 $ oc import-image --all --insecure=true --confirm -n openshift registry.access.redhat.com/openshift3/jenkins-2-rhel7
Import Jenkins Templates 2
BASEURL=”https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/openshift_examples/files/examples/v1.4” $ oc create -f $BASEURL/jenkins-ephemeral-template.json -n openshift $ oc create -f $BASEURL/jenkins-persistent-template.json -n openshift
Jenkins - Auto Provisioning
Cluster configuration - master-config.yaml 3
jenkinsPipelineConfig: autoProvisionEnabled: true parameters: JENKINS_IMAGE_STREAM_TAG: jenkins-2-rhel7:latest ENABLE_OAUTH: "true" serviceName: jenkins templateName: jenkins-persistent templateNamespace: openshift
A First Example
A Simple pipeline example 1
$ oc new-project samplepipeline $ oc new-app jenkins-pipeline-example $ oc start-build sample-pipeline
Blue Green Pipeline
This example showcases a blue green deployment using a Jenkins pipeline that pauses for approval and rollback.
2
$ oc patch route/bluegreen -p '{"spec":{"to":{"name":"green"}}}'
A/B Pipeline
Easily turn our bluegreen into A/B 3
$ oc annotate route/bluegreen haproxy.router.openshift.io/balance=roundrobin $ oc set route-backends routes/bluegreen blue=50 green=50
Multi-Project Pipeline
Use projects per environment 4
$ oc policy add-role-to-group system:image-puller system:serviceaccounts:testing -n development $ oc create dc myapp --image=172.30.18.201:5000/development/myapp:promotePRD
Resources
https://www.openshift.com/promotions/kubernetes.html
https://www.openshift.com/promotions/docker-security.html
https://t.co/4KH6iSZZ2H https://www.openshift.com/promotions/for-developers.html
• https://blog.openshift.com/
• https://developers.redhat.com/
• https://www.openshift.com
• https://access.redhat.com/documentation/en/
openshift-enterprise
• https://aws.amazon.com/testdrive/redhat/
• https://www.redhat.com/en/resources
• https://openshift.katacoda.com/
• https://StefanoPicozzi.blog
• https://stefanopicozzi.blog/2016/06/21/openshift/
• https://github.com/eformat