Red Hat OpenShift Enterprise

Giovanni GalloroCloud Solution Architect – Red Hatggalloro@redhat.com

Transforming Application Delivery with PaaS and Linux Containers

PaaS and Linux Containers Agenda

● Platform as a Service Capabilities● OpenShift Enterprise Architecture

– Linux Containers

– Docker

– Kubernetes

– RHEL Atomic Host

● OpenShift Application Deployment Flow● OpenShift Adoption● Containers Adoption Challenges and Red Hat Strategy

Platform as a Service Capabilities

PAAS CLOUD SERVICE MODEL

PAAS LETS YOU STREAMLINE APP DEV

RED HAT PAAS SOLUTION

DEVOPS / CONTINOUS DELIVERY THROUGH PAAS

CHOOSE THE WAY YOU WORK

Developer IDEIntegrations

Web BrowserConsole

Command LineTooling

REST APIs

RED HAT'S PAAS STRATEGY

OpenShift Enterprise Architecture

RED HAT CONFIDENTIAL | NDA ONLY11

CREATING DEFACTO STANDARDS

REGISTRY / CONTAINER DISCOVERY

CONTAINER FORMAT WITH DOCKER

ISOLATION WITH LINUX CONTAINERS

ORCHESTRATION WITH

KUBERNETES

Red Hat works with the open source community to drive standards for containerization.

WHAT ARE LINUX CONTAINERS?Software packaging concept that typically includes an application and all of its runtime dependencies.

● Easy to deploy and portable across host systems

● Isolates applications on a host operating system

● In RHEL, this is done through:– Control Groups (cgroups)– kernel namespaces– SELinux, sVirt– Docker

HOST OS

SERVER

CONTAINER

LIBS

APP

13

Traditional OS Containers

TRADITIONAL OS VS. CONTAINERS

HARDWARE

HOST OS

HARDWARE

HOST OS

CONTAINER

LIBS

APP A

LIBS A LIBS B LIBS LIBS

APP A APP B

CONTAINER

LIBS

APP B

WHAT DOCKER PROVIDES

● Multi-version packaging format and isolation

● Simplified container API (Docker libcontainer)

● Easy to create (Dockerfile)● Atomic deployment (Docker

images)● Large ecosystem (Docker Hub)

THE CHALLENGE

DOCKER IS A SHIPPING CONTAINER FOR CODE

LINUX DOCKER CONTAINER LAYERING

● New images can be created by

adding layers

● Layering model allows for

specialization

● Base image and select number of

platform layers provided by Red Hat

● ISV images form the base of the

RHEL ecosystem

● Stack optimized for individual

application with minimal packaging

per layer

CONTAINERS DELIVER MANY BENEFITS

Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NASource: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015

Faster provisioning

Greater deployment flexibility

Ability to deliver/deploy applications faster

Greater application mobility/portability

69%

70%

72%

73%

How important are the following benefits of containers to your organization?

Critically or Very Important

73%

72%

70%

69%

KUBERNETES FOR CONTAINER ORCHESTRATION

● Container orchestration at scale

● Wiring of multi-container, multi-host application topologies

● Scheduling / placement● Manage container health

RED HAT ENTERPRISE LINUX ATOMIC HOST

IT IS RED HAT ENTERPRISE LINUX

OPTIMIZED FOR CONTAINERS

Minimized host environment tuned for running Linux containers while maintaining compatibility with Red Hat Enterprise Linux.

Inherits the complete hardware ecosystem, military-grade security, stability and reliability for which Red Hat Enterprise Linux is known.

MINIMIZEDFOOTPRINT

SIMPLIFIEDMAINTENANCE

ORCHESTRATIONAT SCALE

Atomic updating and rollback means it’s easy to deploy, update, and rollback using imaged-based technology.

Build composite applications by orchestrating multiple containers as microservices on a single host instance.

OPENSHIFT ARCHITECTURE

OPENSHIFT RUNS ON YOUR CHOICE OF INFRASTRUCTURE

NODES ARE INSTANCES OF RHEL WHERE APPS WILL RUN

APP SERVICES RUN IN DOCKER CONTAINERS ON EACH NODE

PODS RUNS ONE OR MORE DOCKER CONTAINERS AS A UNIT

MASTERS LEVERAGE KUBERNETES TO ORCHESTRATE NODES / APPS

MASTER PROVIDES AUTHENTICATED API FOR USERS & CLIENTS

MASTER USES ETCD KEY-VALUE DATA STORE FOR PERSISTENCE

MASTER PROVIDES SCHEDULER FOR POD PLACEMENT ON NODES

SERVICES ALLOW RELATED PODS TO CONNECT TO EACH OTHER

MANAGEMENT/REPLICATION CONTROLLER MANAGES THE POD LIFECYCLE

WHAT IF A POD GOES DOWN?

OPENSHIFT AUTOMATICALLY RECOVERS AND DEPLOYS A NEW POD

PODS CAN ATTACH TO SHARED STORAGE FOR STATEFUL SERVICES

ROUTING LAYER ROUTES EXTERNAL APP REQUESTS TO PODS

DEVELOPERS ACCESS OPENSHIFT VIA WEB, CLI OR IDE

MASSIVE SUPPORTED ECOSYSTEM

OPENSHIFT APPLICATION SERVICES

● From Red Hat

● From ISV Partners

● From the Community

BUILD PROCESS

BUILD PROCESS

BUILD PROCESS

BUILD PROCESS

BUILD PROCESS

BUILD PROCESS

BUILD PROCESS

FROM DOCKER IMAGE TO RUNNING APP

PERSISTENT STORAGE

OpenShift Adoption

OPENSHIFT ENTERPRISE ADOPTION

"Once we actually looked at and had all of the conversations with all the various

people, there was really only one choice and that was OpenShift".

The only people that actually understood what it was that we were talking about was the Red Hat guys. The Cloud Foundry guys

were good about talking about deploying Spring-based frameworks and, you know,

that sort of stuff, but once we ran the PoCs and had deeper conversations, there was

really only one choice."

Tony McGivern - CIO

OPENSHIFT ADOPTION @

LEADING ISV IN FINANCIAL SERVICES has built and Analytic cloud based platform on Openshift

70% Reduction in Apps Development time

60% Reduction in Maintenance Costs (simpler, faster and easier)

90% reduction in Time to Deploy models

6 Months running live in Production

5% - 40% increased decision accuracy

http://gartner.mediasite.com/Mediasite/Play/4c29e2287c7949cea4b4f8d0367410b01d?sc_cid=70160000000eGEFAA2&elq=997abd3fad6a49d4ae23e1c7136994bb

Containers Adoption Challenges

TOP CURRENT CONTAINER CHALLENGES

Training and Education (lack of skills)

Consistency (lack of standards)

Scalability

Lack of certification or digital structure

Management

Integration with existing development tools and processes

Variable performance

Security

29%31%32%35%35%

41%44%

53%

What are the top three challenges your organization has experienced so far in its use of containers?

Base: 171 IT and Developer/programmer decision-makers at companies with 500+ employees in APAC, EMEA, and NASource: A commissioned study conducted by Forrester Consulting on behalf of Red Hat, January, 2015

● Who built this image?● What’s its purpose?

Was it created to support a demo?

● Is it safe to consume?● Who maintains it?

NEED FOR A “CHAIN OF TRUST”

DOCKER HUB

docker search mongodb

RED HAT CONFIDENTIAL | NDA ONLY57

WHAT'S INSIDE THE CONTAINER MATTERS36% of official images in Docker Hub contain high priority security vulnerabilities

● High vulnerabilities: ShellShock (bash), Heartbleed (OpenSSL), etc.

● Medium vulnerabilities: Poodle (OpenSSL), etc.

● Low vulnerabilities: gcc: array memory allocations could cause integer overflow

All Images (n=962)0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

36%

28%

Medium priority

High priority

Source: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities, Jayanth Gummaraju, Tarun Desikan, and Yoshio Turner, BanyanOps, May 2015 (http://www.banyanops.com/pdf/BanyanOps-AnalyzingDockerHub-WhitePaper.pdf)

Red Hat Strategy for Containers Adoption

RED HAT CONFIDENTIAL | NDA ONLY59

RED HAT CONTAINER CERTIFICATIONUNTRUSTED

● Will what’s inside the containers compromise your infrastructure?

● How and when will apps and libraries be updated?

● Will it work from host to host?

RED HAT CERTIFIED ● Trusted source for the host and the

containers

● Trusted content inside the container with security fixes available as part of an enterprise lifecycle

● Portability across hosts

SIMPLIFYING CONTAINER ADOPTIONFOR PARTNERS

RED HAT CONFIDENTIAL | NDA ONLY65

TRUSTEDCONTAINER

CONTENT

PROVEN CONTAINER

PORTABILITY

INTEGRATEDAPPLICATION

DELIVERY

CONTAINERS FOR THE ENTERPRISE

INSERT DESIGNATOR, IF NEEDED 66

THANK YOU