SlideShare une entreprise Scribd logo
1  sur  50
Télécharger pour lire hors ligne
Manage your bare-metal infrastructure with a
CI/CD-driven approach
Johannes M. Scheuermann
inovex
Johannes M. Scheuermann
Cloud Platform Engineer @ inovex
〉 Software-Defined Datacenters
〉 Infrastructure Services
〉 High Availability /Scalability / Resilience
〉 CKA / Linux Foundation Trainer
2
inovex.de/jobs
What about you?
4
Agenda
● Immutable infrastructure
● Kubernetes on bare-metal
● Big Picture
● CI/CD for the infrastructure
● Example Gitlab (CI)
5
Exercises
Can be found here:
● Github Link: https://github.com/inovex/fluffy-unicorn
6
What I assume
● You know what Kubernetes is
● You know the basic components of Kubernetes
● You already did some bare-metal installation
● ..?
What is immutable infrastructure?
8
“Traditional” infrastructure
● Continuous updates/modification
● Machines get changed after they are created
● Often configuration management is used
● Typically ssh access is required
○ LDAP/Kerberos ...
● Static monitoring
An immutable infrastructure is another infrastructure
paradigm in which servers are never modified after
they're deployed. If something needs to be updated,
fixed, or modified in any way, new servers built from a
common image with the appropriate changes are
provisioned to replace the old ones. After they're
validated, they're put into use and the old ones are
decommissioned.
9
https://www.digitalocean.com/community/tutorials/what-is-immutable-infrastruc
ture
10
Immutable infrastructure
● “The” “Golden” image is built
● Never modified after they are deployed
● Update means a new deployment
○ Before you should update the image :)
● No need for ssh access
● Dynamic monitoring
○ Service Discovery needed
11
Building the “golden” image
● Probably most famous: https://www.packer.io
● Create provider specific images
● Multiple provisioners
● Clean up after provisioning
● Use the distro-specific tooling
● OS image as Code
○ Packer configuration
○ OS configuration
12
Challenges
● Image must be kept up-to-date
○ CVE’s
○ CI/CD for the image
● New images must be constantly deployed
● External configuration is needed in most cases
○ Certificates
○ Configuration for different stages
○ dev-prod-parity
13
What we ended up
● Using vanilla Container Linux as base
● Ignition as provisioning tool
○ Only executed once at boot time
● Consul-template + confd for configuration files
● Static certificates are baked into ignition
○ e.g. for secure access to the etcd CMDB
14
Recap immutable infrastructure
● Vanilla Container Linux ✅
● ignition is only executed once during boot ✅
● Updates means new deployment ❌
○ Until now we didn’t deployed anything :)
● No need for ssh access ✅
Kubernetes on bare-metal
16
Bare-metal deployments
● “Many roads lead to Rome”
● Actually a (more or less) solved problem
○ OpenStack
○ Foreman
○ Maas
○ Matchbox
○ ….
17
What do we need?
● DHCP/proxyDHCP
● PXE/iPXE
● TFTP
● OS image
● OS configuration
● Role-based configuration (e.g. Master/Worker)
18
Container Linux bare-metal deployment
● Bare-metal deployment with the default toolstack
○ DHCP / TFTP / DNS
● CoreOS Matchbox
○ iPXE Service
○ Deliver assets based on predefined roles
● CoreOS ignition
○ Configure servers on boot-time
Source: https://github.com/coreos/matchbox/blob/master/Documentation/network-booting.md#ipxe 19
How does the Setup work
Time estimation : 10-20 minutes 20
Exercise 1: Setup Matchbox + PXE boot
● What we do:
○ Setup Wifi/Network (for your laptop)
○ Download: https://github.com/inovex/fluffy-unicorn
○ Setup Matchbox + terraform
○ Setup DHCP
○ Setup DNS
○ Provision 2 Container Linux nodes
○ Look into the general flow
● Example is under /exercise_1
21
Recap: Kubernetes on bare-metal
● Bare-metal provisioning of OS ✅
● OS configuration with ignition ✅
● Always PXE boot ❌
● Role-based configuration ❌
● Kubernetes cluster installed ❌
● Deployment with a pipeline ❌
22
Challenge always PXE boot
● Matchbox is a pretty simple rendering engine
● Doesn’t hold any state
○ e.g. machine X is provisioned
● How to solve this issue?
○ Any ideas?
23
Challenge always PXE boot (our solution)
● No access to IPMI
● External DB that holds the state
○ In our case an etcd cluster
● Machine sets its state to “deployed”
● DHCP server decides what to do
○ Provision from Matchbox
○ Boot from disk
● DHCP config is generated with confd
24
Why etcd?
● Simple to cluster (HA)
● Allows to watch events
● Confd for configuration generation
● Can be used as Vault backend
● … ?
Time estimation : 10-20 minutes 25
Exercise 2: Always PXE boot
● What we do (additional):
○ Setup etcd
○ Setup confd
○ Generate DHCP config based on Machine state
● Example is under /exercise_2
26
Recap: Kubernetes on bare-metal
● Bare-metal provisioning of OS ✅
● OS configuration with ignition ✅
● Always PXE boot ✅
● Role-based configuration ❌
● Kubernetes cluster installed ❌
● Deployment with a pipeline ❌
Source: https://github.com/coreos/matchbox/blob/master/Documentation/getting-started.md#groups 27
Role-based configuration
● Matchbox groups
● Selectors can be used
○ MAC
○ label (e.g. os=installed)
○ UUID
● Semantic AND (no list support)
○ https://github.com/coreos/matchbox/issues/586
Source: https://github.com/coreos/matchbox/blob/master/Documentation/getting-started.md#groups 28
Role-based configuration
Time estimation : 10-20 minutes 29
Exercise 3: Role-based provisioning
● What we do (additional):
○ Setup two groups
■ based on the MAC
○ Setup write a file on the host (/etc/my_type)
■ MAC -> content
■ 52:54:00:fb:53:a6 -> “I’m a master”
■ 52:54:00:fb:53:a9 -> “I’m a worker”
● Example is under /exercise_3
30
Recap: Kubernetes on bare-metal
● Bare-metal provisioning of OS ✅
● OS configuration with ignition ✅
● Always PXE boot ✅
● Role-based configuration ✅
● Kubernetes cluster installed ❌
● Deployment with a pipeline ❌
Kubernetes what do we need?
Read: https://github.com/kelseyhightower/kubernetes-the-hard-way 32
K8s - what do we need?
● etcd cluster
● At least one Master
● Worker nodes
● Certificates for TLS
○ PKI
○ Or manually generated
● Load Balancer in a multi master setup
○ e.g. https://metallb.universe.tf or HAProxy/Nginx/...
Read: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work 33
Kubernetes/etcd PKI
● PKI is also needed for the etcd cluster
○ Use TLS everywhere!
● Self-generated certificates
○ Hard to manage the certificates
○ Certificates must be “copied” onto the machines
● Central PKI
○ Auto-generated Certificates
○ Auto-renewal
○ Revocation list
Read: https://www.vaultproject.io/docs/secrets/pki/index.html 34
Vault as central PKI
● Simple REST API
● Allows to create multiple CA’s
● Based on policies allow or deny certificate requests
● Can be combined with consul_tempalte
○ Auto-renew certificates (short TTL)
Read: https://www.vaultproject.io/docs/auth/approle.html 35
Vault AppRoles
● Authentication mechanism for machines or
applications
● Create AppRole ID and SecretID
○ similar to username + password
● Can be used to fetch an Vault token
36
Big Picture
IPAM
Asset
Mgmt.
Asset
Mgmt.
Asset
Mgmt.etcd
DHCP/
TFTP
Matchbox
confd
Asset
Mgmt.
Asset
Mgmt.Node
Vault
1
2
3 4
5
Time estimation : 30-45 minutes 37
Exercise 4: Deploy your K8s cluster
● What we do (additional):
○ Setup Vault
○ Setup consul_template
○ Setup Kubernetes
● Example is under /exercise_4
38
Recap: Kubernetes on bare-metal
● Bare-metal provisioning of OS ✅
● OS configuration with ignition ✅
● Always PXE boot ✅
● Role-based configuration ✅
● Kubernetes cluster installed ✅
● Deployment with a pipeline ❌
Who knows what CI/CD is?
40
Continuous integration
● Push into you branch and get Feedback
● Merge changes fast into the master
● Automated build is triggered
● Test run automatically after each push
● Fail fast in the pipeline
● Avoid integration hell → “worked on my machine”
41
Continuous delivery
● Same as continuous integration
● Allow you to release changes quickly
● Release is completely automated
● Deploy is only clicking one button
42
Continuous deployment
● Same as continuous delivery
● Every change that passes all stages will be deployed
● No human interaction needed
43
CI/CD for the infrastructure
● More or less the same as with SE
● Lint/check your configuration files
○ shellcheck / hadolint / …
○ kubeval / kubetest
● Test any transformation steps
● Spin up test infrastructure (virtualized)
● Possibility to update your infrastructure by one click
○ Incremental changes have some benefits
https://about.gitlab.com/ 44
Gitlab (CI)
● Free git repository
○ Can be self-hosted
● Integrated CI
○ Different types of runners
○ Supports building pipelines
○ Specified as a YAML file
Time estimation : 30-45 minutes 45
Exercise 5: Deploy your K8s cluster over CI/CD
● What we do (additional):
○ Install Gitlab → https://about.gitlab.com/installation/#debian
○ Install a Gitlab runner
○ Create a new Repository and push all files to it
○ Create a dummy pipeline
○ Replace some of the makefile steps
● Example is under /exercise_5
46
Recap: Kubernetes on bare-metal
● Bare-metal provisioning of OS ✅
● OS configuration with ignition ✅
● Always PXE boot ✅
● Role-based configuration ✅
● Kubernetes cluster installed ✅
● Deployment with a pipeline ✅
Q&A
Johannes M.
Scheuermann
inovex GmbH
jscheuermann@inovex.de
github.com/johcsheuer inovex.de youtube.com/inovexGmbH
CC BY-NC-ND @johscheuer gitlab.com/inovex
Feedback & Questions:
sayat.me/johscheuer
49
Reading list
● https://www.digitalocean.com/community/tutorials/what-is-immutable-
infrastructure
● https://www.oreilly.com/ideas/an-introduction-to-immutable-infrastruc
ture
● https://martinfowler.com/bliki/PhoenixServer.html
● https://maas.io
● https://www.theforeman.org
● https://wiki.openstack.org/wiki/Ironic
● https://github.com/coreos/matchbox
● https://cfssl.org
50
Reading list
● https://blog.digitalocean.com/vault-and-kubernetes
● https://kubernetes.io/docs/concepts/cluster-administration/certificates
● https://github.com/hashicorp/consul-template
● https://about.gitlab.com

Contenu connexe

Tendances

WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)
WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)
WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)Roman Kharkovski
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsBrendan Gregg
 
AWS RDS Benchmark - Instance comparison
AWS RDS Benchmark - Instance comparisonAWS RDS Benchmark - Instance comparison
AWS RDS Benchmark - Instance comparisonRoberto Gaiser
 
Hyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the FutureHyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the FutureHoward Marks
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...Severalnines
 
A Jupyter kernel for Scala and Apache Spark.pdf
A Jupyter kernel for Scala and Apache Spark.pdfA Jupyter kernel for Scala and Apache Spark.pdf
A Jupyter kernel for Scala and Apache Spark.pdfLuciano Resende
 
ROS/ROS2 Distributed System with Kubernetes
ROS/ROS2 Distributed System with KubernetesROS/ROS2 Distributed System with Kubernetes
ROS/ROS2 Distributed System with KubernetesTomoya Fujita
 
Prometheus Overview
Prometheus OverviewPrometheus Overview
Prometheus OverviewBrian Brazil
 
Monitoring MySQL with Prometheus and Grafana
Monitoring MySQL with Prometheus and GrafanaMonitoring MySQL with Prometheus and Grafana
Monitoring MySQL with Prometheus and GrafanaJulien Pivotto
 
The Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systemsThe Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systemsRomain Jacotin
 
Understanding Lucene Search Performance
Understanding Lucene Search PerformanceUnderstanding Lucene Search Performance
Understanding Lucene Search PerformanceLucidworks (Archived)
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Rangertrihug
 
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmSolving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmDataWorks Summit
 
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...Redis Labs
 
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...POST Telecom for Business
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Mydbops
 

Tendances (20)

WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)
WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)
WebSphere App Server vs JBoss vs WebLogic vs Tomcat (InterConnect 2016)
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
AWS RDS Benchmark - Instance comparison
AWS RDS Benchmark - Instance comparisonAWS RDS Benchmark - Instance comparison
AWS RDS Benchmark - Instance comparison
 
Hadoop Security
Hadoop SecurityHadoop Security
Hadoop Security
 
Hyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the FutureHyperconverged Infrastructure, It's the Future
Hyperconverged Infrastructure, It's the Future
 
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
MySQL Load Balancers - Maxscale, ProxySQL, HAProxy, MySQL Router & nginx - A ...
 
HBase Low Latency
HBase Low LatencyHBase Low Latency
HBase Low Latency
 
A Jupyter kernel for Scala and Apache Spark.pdf
A Jupyter kernel for Scala and Apache Spark.pdfA Jupyter kernel for Scala and Apache Spark.pdf
A Jupyter kernel for Scala and Apache Spark.pdf
 
ROS/ROS2 Distributed System with Kubernetes
ROS/ROS2 Distributed System with KubernetesROS/ROS2 Distributed System with Kubernetes
ROS/ROS2 Distributed System with Kubernetes
 
Prometheus Overview
Prometheus OverviewPrometheus Overview
Prometheus Overview
 
Monitoring MySQL with Prometheus and Grafana
Monitoring MySQL with Prometheus and GrafanaMonitoring MySQL with Prometheus and Grafana
Monitoring MySQL with Prometheus and Grafana
 
The Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systemsThe Google Chubby lock service for loosely-coupled distributed systems
The Google Chubby lock service for loosely-coupled distributed systems
 
DAS RAID NAS SAN
DAS RAID NAS SANDAS RAID NAS SAN
DAS RAID NAS SAN
 
Understanding Lucene Search Performance
Understanding Lucene Search PerformanceUnderstanding Lucene Search Performance
Understanding Lucene Search Performance
 
TriHUG October: Apache Ranger
TriHUG October: Apache RangerTriHUG October: Apache Ranger
TriHUG October: Apache Ranger
 
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos AlgorithmSolving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
Solving Hadoop Replication Challenges with an Active-Active Paxos Algorithm
 
Voldemort Nosql
Voldemort NosqlVoldemort Nosql
Voldemort Nosql
 
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
The Happy Marriage of Redis and Protobuf by Scott Haines of Twilio - Redis Da...
 
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...
[Event] Digital transformation : Enterprise cloud one os one click - PRESENTA...
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
 

Similaire à Manage your bare-metal infrastructure with a CI/CD-driven approach

OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph Galuschka
OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph GaluschkaOpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph Galuschka
OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph GaluschkaOpenNebula Project
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaNETWAYS
 
LinuxKit Deep Dive
LinuxKit Deep DiveLinuxKit Deep Dive
LinuxKit Deep DiveDocker, Inc.
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesMender.io
 
WKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWeaveworks
 
Webinar - Unbox GitLab CI/CD
Webinar - Unbox GitLab CI/CD Webinar - Unbox GitLab CI/CD
Webinar - Unbox GitLab CI/CD Annie Huang
 
Heroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyHeroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyJérémy Wimsingues
 
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On PremTo Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On PremCloudOps2005
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniTheFamily
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionJérôme Petazzoni
 
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...melbats
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containersNitish Jadia
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production Hung Lin
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKitAkihiro Suda
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitNTT Software Innovation Center
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifestLibbySchulze
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Giovanni Toraldo
 
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?panagenda
 

Similaire à Manage your bare-metal infrastructure with a CI/CD-driven approach (20)

OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph Galuschka
OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph GaluschkaOpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph Galuschka
OpenNebulaConf 2014 - CentOS, QA and OpenNebula - Christoph Galuschka
 
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph GaluschkaOpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
OpenNebula Conf 2014: CentOS, QA an OpenNebula - Christoph Galuschka
 
LinuxKit Deep Dive
LinuxKit Deep DiveLinuxKit Deep Dive
LinuxKit Deep Dive
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
 
WKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes ClustersWKSctl: Gitops Management of Kubernetes Clusters
WKSctl: Gitops Management of Kubernetes Clusters
 
Webinar - Unbox GitLab CI/CD
Webinar - Unbox GitLab CI/CD Webinar - Unbox GitLab CI/CD
Webinar - Unbox GitLab CI/CD
 
Heroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success storyHeroku to Kubernetes & Gihub to Gitlab success story
Heroku to Kubernetes & Gihub to Gitlab success story
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On PremTo Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
To Russia with Love: Deploying Kubernetes in Exotic Locations On Prem
 
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme PetazzoniWorkshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
Workshop : 45 minutes pour comprendre Docker avec Jérôme Petazzoni
 
Introduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" EditionIntroduction to Docker, December 2014 "Tour de France" Edition
Introduction to Docker, December 2014 "Tour de France" Edition
 
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...
EclipseCon Eu 2012 - Buildroot Eclipse Bundle : A powerful IDE for Embedded L...
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Introduction to containers
Introduction to containersIntroduction to containers
Introduction to containers
 
6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production 6 Months Sailing with Docker in Production
6 Months Sailing with Docker in Production
 
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
[KubeConEU] Building images efficiently and securely on Kubernetes with BuildKit
 
Building images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKitBuilding images efficiently and securely on Kubernetes with BuildKit
Building images efficiently and securely on Kubernetes with BuildKit
 
Making your app soar without a container manifest
Making your app soar without a container manifestMaking your app soar without a container manifest
Making your app soar without a container manifest
 
Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)Continuous Delivery: 5 years later (Incontro DevOps 2018)
Continuous Delivery: 5 years later (Incontro DevOps 2018)
 
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
Engage 2020 - Kubernetes for HCL Connections Component Pack - Build or Buy?
 

Plus de inovex GmbH

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegeninovex GmbH
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIinovex GmbH
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolutioninovex GmbH
 
Network Policies
Network PoliciesNetwork Policies
Network Policiesinovex GmbH
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learninginovex GmbH
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungeninovex GmbH
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeteninovex GmbH
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetesinovex GmbH
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systemsinovex GmbH
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreiheninovex GmbH
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenteninovex GmbH
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?inovex GmbH
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Projectinovex GmbH
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretabilityinovex GmbH
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use caseinovex GmbH
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessinovex GmbH
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumiinovex GmbH
 

Plus de inovex GmbH (20)

lldb – Debugger auf Abwegen
lldb – Debugger auf Abwegenlldb – Debugger auf Abwegen
lldb – Debugger auf Abwegen
 
Are you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AIAre you sure about that?! Uncertainty Quantification in AI
Are you sure about that?! Uncertainty Quantification in AI
 
Why natural language is next step in the AI evolution
Why natural language is next step in the AI evolutionWhy natural language is next step in the AI evolution
Why natural language is next step in the AI evolution
 
WWDC 2019 Recap
WWDC 2019 RecapWWDC 2019 Recap
WWDC 2019 Recap
 
Network Policies
Network PoliciesNetwork Policies
Network Policies
 
Interpretable Machine Learning
Interpretable Machine LearningInterpretable Machine Learning
Interpretable Machine Learning
 
Jenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen UmgebungenJenkins X – CI/CD in wolkigen Umgebungen
Jenkins X – CI/CD in wolkigen Umgebungen
 
AI auf Edge-Geraeten
AI auf Edge-GeraetenAI auf Edge-Geraeten
AI auf Edge-Geraeten
 
Prometheus on Kubernetes
Prometheus on KubernetesPrometheus on Kubernetes
Prometheus on Kubernetes
 
Deep Learning for Recommender Systems
Deep Learning for Recommender SystemsDeep Learning for Recommender Systems
Deep Learning for Recommender Systems
 
Azure IoT Edge
Azure IoT EdgeAzure IoT Edge
Azure IoT Edge
 
Representation Learning von Zeitreihen
Representation Learning von ZeitreihenRepresentation Learning von Zeitreihen
Representation Learning von Zeitreihen
 
Talk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale AssistentenTalk to me – Chatbots und digitale Assistenten
Talk to me – Chatbots und digitale Assistenten
 
Künstlich intelligent?
Künstlich intelligent?Künstlich intelligent?
Künstlich intelligent?
 
Dev + Ops = Go
Dev + Ops = GoDev + Ops = Go
Dev + Ops = Go
 
Das Android Open Source Project
Das Android Open Source ProjectDas Android Open Source Project
Das Android Open Source Project
 
Machine Learning Interpretability
Machine Learning InterpretabilityMachine Learning Interpretability
Machine Learning Interpretability
 
Performance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use casePerformance evaluation of GANs in a semisupervised OCR use case
Performance evaluation of GANs in a semisupervised OCR use case
 
People & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madnessPeople & Products – Lessons learned from the daily IT madness
People & Products – Lessons learned from the daily IT madness
 
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with PulumiInfrastructure as (real) Code – Manage your K8s resources with Pulumi
Infrastructure as (real) Code – Manage your K8s resources with Pulumi
 

Dernier

Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxJoão Esperancinha
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 

Dernier (20)

Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Fields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptxFields in Java and Kotlin and what to expect.pptx
Fields in Java and Kotlin and what to expect.pptx
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 

Manage your bare-metal infrastructure with a CI/CD-driven approach

  • 1. Manage your bare-metal infrastructure with a CI/CD-driven approach Johannes M. Scheuermann inovex
  • 2. Johannes M. Scheuermann Cloud Platform Engineer @ inovex 〉 Software-Defined Datacenters 〉 Infrastructure Services 〉 High Availability /Scalability / Resilience 〉 CKA / Linux Foundation Trainer 2 inovex.de/jobs
  • 4. 4 Agenda ● Immutable infrastructure ● Kubernetes on bare-metal ● Big Picture ● CI/CD for the infrastructure ● Example Gitlab (CI)
  • 5. 5 Exercises Can be found here: ● Github Link: https://github.com/inovex/fluffy-unicorn
  • 6. 6 What I assume ● You know what Kubernetes is ● You know the basic components of Kubernetes ● You already did some bare-metal installation ● ..?
  • 7. What is immutable infrastructure?
  • 8. 8 “Traditional” infrastructure ● Continuous updates/modification ● Machines get changed after they are created ● Often configuration management is used ● Typically ssh access is required ○ LDAP/Kerberos ... ● Static monitoring
  • 9. An immutable infrastructure is another infrastructure paradigm in which servers are never modified after they're deployed. If something needs to be updated, fixed, or modified in any way, new servers built from a common image with the appropriate changes are provisioned to replace the old ones. After they're validated, they're put into use and the old ones are decommissioned. 9 https://www.digitalocean.com/community/tutorials/what-is-immutable-infrastruc ture
  • 10. 10 Immutable infrastructure ● “The” “Golden” image is built ● Never modified after they are deployed ● Update means a new deployment ○ Before you should update the image :) ● No need for ssh access ● Dynamic monitoring ○ Service Discovery needed
  • 11. 11 Building the “golden” image ● Probably most famous: https://www.packer.io ● Create provider specific images ● Multiple provisioners ● Clean up after provisioning ● Use the distro-specific tooling ● OS image as Code ○ Packer configuration ○ OS configuration
  • 12. 12 Challenges ● Image must be kept up-to-date ○ CVE’s ○ CI/CD for the image ● New images must be constantly deployed ● External configuration is needed in most cases ○ Certificates ○ Configuration for different stages ○ dev-prod-parity
  • 13. 13 What we ended up ● Using vanilla Container Linux as base ● Ignition as provisioning tool ○ Only executed once at boot time ● Consul-template + confd for configuration files ● Static certificates are baked into ignition ○ e.g. for secure access to the etcd CMDB
  • 14. 14 Recap immutable infrastructure ● Vanilla Container Linux ✅ ● ignition is only executed once during boot ✅ ● Updates means new deployment ❌ ○ Until now we didn’t deployed anything :) ● No need for ssh access ✅
  • 16. 16 Bare-metal deployments ● “Many roads lead to Rome” ● Actually a (more or less) solved problem ○ OpenStack ○ Foreman ○ Maas ○ Matchbox ○ ….
  • 17. 17 What do we need? ● DHCP/proxyDHCP ● PXE/iPXE ● TFTP ● OS image ● OS configuration ● Role-based configuration (e.g. Master/Worker)
  • 18. 18 Container Linux bare-metal deployment ● Bare-metal deployment with the default toolstack ○ DHCP / TFTP / DNS ● CoreOS Matchbox ○ iPXE Service ○ Deliver assets based on predefined roles ● CoreOS ignition ○ Configure servers on boot-time
  • 20. Time estimation : 10-20 minutes 20 Exercise 1: Setup Matchbox + PXE boot ● What we do: ○ Setup Wifi/Network (for your laptop) ○ Download: https://github.com/inovex/fluffy-unicorn ○ Setup Matchbox + terraform ○ Setup DHCP ○ Setup DNS ○ Provision 2 Container Linux nodes ○ Look into the general flow ● Example is under /exercise_1
  • 21. 21 Recap: Kubernetes on bare-metal ● Bare-metal provisioning of OS ✅ ● OS configuration with ignition ✅ ● Always PXE boot ❌ ● Role-based configuration ❌ ● Kubernetes cluster installed ❌ ● Deployment with a pipeline ❌
  • 22. 22 Challenge always PXE boot ● Matchbox is a pretty simple rendering engine ● Doesn’t hold any state ○ e.g. machine X is provisioned ● How to solve this issue? ○ Any ideas?
  • 23. 23 Challenge always PXE boot (our solution) ● No access to IPMI ● External DB that holds the state ○ In our case an etcd cluster ● Machine sets its state to “deployed” ● DHCP server decides what to do ○ Provision from Matchbox ○ Boot from disk ● DHCP config is generated with confd
  • 24. 24 Why etcd? ● Simple to cluster (HA) ● Allows to watch events ● Confd for configuration generation ● Can be used as Vault backend ● … ?
  • 25. Time estimation : 10-20 minutes 25 Exercise 2: Always PXE boot ● What we do (additional): ○ Setup etcd ○ Setup confd ○ Generate DHCP config based on Machine state ● Example is under /exercise_2
  • 26. 26 Recap: Kubernetes on bare-metal ● Bare-metal provisioning of OS ✅ ● OS configuration with ignition ✅ ● Always PXE boot ✅ ● Role-based configuration ❌ ● Kubernetes cluster installed ❌ ● Deployment with a pipeline ❌
  • 27. Source: https://github.com/coreos/matchbox/blob/master/Documentation/getting-started.md#groups 27 Role-based configuration ● Matchbox groups ● Selectors can be used ○ MAC ○ label (e.g. os=installed) ○ UUID ● Semantic AND (no list support) ○ https://github.com/coreos/matchbox/issues/586
  • 29. Time estimation : 10-20 minutes 29 Exercise 3: Role-based provisioning ● What we do (additional): ○ Setup two groups ■ based on the MAC ○ Setup write a file on the host (/etc/my_type) ■ MAC -> content ■ 52:54:00:fb:53:a6 -> “I’m a master” ■ 52:54:00:fb:53:a9 -> “I’m a worker” ● Example is under /exercise_3
  • 30. 30 Recap: Kubernetes on bare-metal ● Bare-metal provisioning of OS ✅ ● OS configuration with ignition ✅ ● Always PXE boot ✅ ● Role-based configuration ✅ ● Kubernetes cluster installed ❌ ● Deployment with a pipeline ❌
  • 31. Kubernetes what do we need?
  • 32. Read: https://github.com/kelseyhightower/kubernetes-the-hard-way 32 K8s - what do we need? ● etcd cluster ● At least one Master ● Worker nodes ● Certificates for TLS ○ PKI ○ Or manually generated ● Load Balancer in a multi master setup ○ e.g. https://metallb.universe.tf or HAProxy/Nginx/...
  • 33. Read: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work 33 Kubernetes/etcd PKI ● PKI is also needed for the etcd cluster ○ Use TLS everywhere! ● Self-generated certificates ○ Hard to manage the certificates ○ Certificates must be “copied” onto the machines ● Central PKI ○ Auto-generated Certificates ○ Auto-renewal ○ Revocation list
  • 34. Read: https://www.vaultproject.io/docs/secrets/pki/index.html 34 Vault as central PKI ● Simple REST API ● Allows to create multiple CA’s ● Based on policies allow or deny certificate requests ● Can be combined with consul_tempalte ○ Auto-renew certificates (short TTL)
  • 35. Read: https://www.vaultproject.io/docs/auth/approle.html 35 Vault AppRoles ● Authentication mechanism for machines or applications ● Create AppRole ID and SecretID ○ similar to username + password ● Can be used to fetch an Vault token
  • 37. Time estimation : 30-45 minutes 37 Exercise 4: Deploy your K8s cluster ● What we do (additional): ○ Setup Vault ○ Setup consul_template ○ Setup Kubernetes ● Example is under /exercise_4
  • 38. 38 Recap: Kubernetes on bare-metal ● Bare-metal provisioning of OS ✅ ● OS configuration with ignition ✅ ● Always PXE boot ✅ ● Role-based configuration ✅ ● Kubernetes cluster installed ✅ ● Deployment with a pipeline ❌
  • 39. Who knows what CI/CD is?
  • 40. 40 Continuous integration ● Push into you branch and get Feedback ● Merge changes fast into the master ● Automated build is triggered ● Test run automatically after each push ● Fail fast in the pipeline ● Avoid integration hell → “worked on my machine”
  • 41. 41 Continuous delivery ● Same as continuous integration ● Allow you to release changes quickly ● Release is completely automated ● Deploy is only clicking one button
  • 42. 42 Continuous deployment ● Same as continuous delivery ● Every change that passes all stages will be deployed ● No human interaction needed
  • 43. 43 CI/CD for the infrastructure ● More or less the same as with SE ● Lint/check your configuration files ○ shellcheck / hadolint / … ○ kubeval / kubetest ● Test any transformation steps ● Spin up test infrastructure (virtualized) ● Possibility to update your infrastructure by one click ○ Incremental changes have some benefits
  • 44. https://about.gitlab.com/ 44 Gitlab (CI) ● Free git repository ○ Can be self-hosted ● Integrated CI ○ Different types of runners ○ Supports building pipelines ○ Specified as a YAML file
  • 45. Time estimation : 30-45 minutes 45 Exercise 5: Deploy your K8s cluster over CI/CD ● What we do (additional): ○ Install Gitlab → https://about.gitlab.com/installation/#debian ○ Install a Gitlab runner ○ Create a new Repository and push all files to it ○ Create a dummy pipeline ○ Replace some of the makefile steps ● Example is under /exercise_5
  • 46. 46 Recap: Kubernetes on bare-metal ● Bare-metal provisioning of OS ✅ ● OS configuration with ignition ✅ ● Always PXE boot ✅ ● Role-based configuration ✅ ● Kubernetes cluster installed ✅ ● Deployment with a pipeline ✅
  • 47. Q&A
  • 48. Johannes M. Scheuermann inovex GmbH jscheuermann@inovex.de github.com/johcsheuer inovex.de youtube.com/inovexGmbH CC BY-NC-ND @johscheuer gitlab.com/inovex Feedback & Questions: sayat.me/johscheuer
  • 49. 49 Reading list ● https://www.digitalocean.com/community/tutorials/what-is-immutable- infrastructure ● https://www.oreilly.com/ideas/an-introduction-to-immutable-infrastruc ture ● https://martinfowler.com/bliki/PhoenixServer.html ● https://maas.io ● https://www.theforeman.org ● https://wiki.openstack.org/wiki/Ironic ● https://github.com/coreos/matchbox ● https://cfssl.org
  • 50. 50 Reading list ● https://blog.digitalocean.com/vault-and-kubernetes ● https://kubernetes.io/docs/concepts/cluster-administration/certificates ● https://github.com/hashicorp/consul-template ● https://about.gitlab.com