OSGi Community Event 2017 Presentation by Emanoel Xavier (Intel) and Tim Ward (Paremus)
Open Security Controller (OSC) aims to increase the security of workloads running in cloud and data centers by orchestrating security virtual network functions (VNFs). To achieve that, one of the main design goals of OSC is to allow vendor customization while keeping its core code neutral. Additionally, as an open source project, another import design principal for OSC is code habitability. Evolving from a legacy monolithic application to a modularized one through OSGi has enabled OSC to implement these goals.
Bringing together a diverse group of security services and software defined network (SDN) providers was key to building the OSC community. This was possible due to the OSC plugin model using OSGi which allows specific vendors to integrate OSC with their existing solutions with minimum effort. Beyond its plugin model OSC also makes use of OSGi in its core components. This enables better extensibility, testability and overall maintainability of its code base. These aspects are key to OSC as it relates to the new and dynamic areas of SDN and security VNFs in cloud and data center environments and it must be able to easily adapt to the constantly changing requirements and technologies pertaining these fields.
In this talk we will explore the journey for turning OSC into a modularized application using OSGi, highlighting some of the achieved results, key learned lessons and the next steps for this work.
https://www.opensecuritycontroller.org/
4. 4
Adam Smith
The Wealth of Nations
(1776)
Division of Labor
“…the trade of a pin-maker: a workman not educated to
this business could scarce, perhaps, with his utmost
industry, make one pin in a day, and certainly could
not make twenty.”
“But in the way in which this business is now carried on,
it is divided into … about eighteen distinct operations,
which, in some manufactories, are all performed by
distinct hands”
“Those ten persons, therefore, could make among them
upwards of forty-eight thousand pins in a day. Each
person, therefore, making a tenth part of forty-eight
thousand pins, might be considered as making four
thousand eight hundred pins in a day.”
SMALLER SPECIALIZED CONCURRENT
5. 5
Henry Ford
The Moving Assembly Line
(1910)
Modularity & Productivity
parts and car
“come to you”
83 parts. 1 step/min
from 12h to 90 mins “continuous build”
interchangeable
parts
model
6. “The major advancement in the area of modular programming has been
the development of coding techniques and assemblers which (l) allow
one module to be written with little knowledge of the code in another
module, and (2) allow modules to be reassembled and replaced
without reassembly of the whole system. This facility is extremely
valuable for the production of large pieces of code, but the systems
most often used as examples of problem systems are highly-
modularized programs and make use of the techniques mentioned
above.”
– David Parnas, On the Criteria to Be Used in Decomposing Systems into Modules (1972)
6
Modularity in Software
7. 7
Apollo 16 Lunar Lander
Module (1972)
“... the systems most often used as examples of problem
systems are highly-modularized programs and make use
of the techniques mentioned above.”
A telling phrase…
“Modularity is too hard to be worth it”
Mixing the problem with the solution
The problems are complex
Modularity makes the solution possible
13. Starting a new project
13
Nobody
plans to
write bad
code
Things will
be different
now
Well
defined,
modular
design
we have all
been there
Sonar*,
Findbugs*,
100% CC
intended
modularization
14. Growing the project
14
Mgmt needs
more code
Here, more
devs
Flexible
processes
more
requirements.
6 months
deadline
but, Karl, your
best coder is
gone
That is ok, we
are “Agile*”
15. Growing the project
(6 months later)
15
almost done
processes
and tools
some
workarounds
needed
worked overtime.
“paper” release
people catching
up with Karl’s
code.
code reviews
that’s ok.
track and fix
later
16. Renewed interest
(6-12 months later)
16
customer:
shows
interest
sales:
delivery in 6
months
no one is
familiar with
the code
+4 new members,
+20 years worth
work
+1 headache
no previous team
member.
Karl’s code is still
around
17. 17
Do any parts of this seem familiar?
Gall’s Law:
“A complex system that works is
invariably found to have evolved
from a simple system that
worked. A complex system
designed from scratch never
works and cannot be patched up
to make it work. You have to start
over with a working simple
system.”
Nobody sets out to write bad code
Successful projects are bound to
become complex
Complexity must be managed
20. 20
Won’t magically turn a monolith into a
modularized application
Will provide you the tools for that
Won’t automatically fix all coupling
issues, “shortcuts” and technical debt
Will make them more evident
Won’t fix API leaks
Will enforce your APIs
22. How OSGi helps
22
Limits complexity to smaller pieces
– Divide and conquer
Pieces can be more easily and predictably
replaced
– No runtime surprises
Easier to understand dependencies fan out
Better testability
24. 24
How it started
Intel closed source project
Application and deployment of security
virtual functions
Let’s extend it !
Let’s build a community around it!
– Spring 2016 => Summer 2017
Seemsfamiliar?
25. 25
OSC in SDI
LOCATIONUTILIZATION LATENCY SECURITY
Infrastructure
Attributes POWER PERFORMANCE
Infrastructure
Attributes
Servers
Virtualization
Containers
Virtual
Router
Virtual
SAN
Scale
Out
Storage
Apps SDN/NFV SDS
Infrastructure
Pool
VMs
Virtual
Firewall
Virtual
Switch
Policy based automation
Self service portal
Service
Orchestration Compute Network Storage Security
Pool of virtualized
resources
Platform
capability aware
Centralized and
automated
28. 28
The path to open source
Community members diversity
SDN Providers and Security Managers neutral
! OSC Plugins Model
Dependency conflicts
REST Services?
Redundant endpoints
Not conducive to early adoption
Legacy plugins
36. 36
OSC uber bundle anatomy
Common monolithic to
modularized migration path
Flat classpath
Transparent non-bundle
dependencies
No isolation between internal
packages
osc-server
uber bundle
uber bundle
core
BL services Sync tasks
DB access
UI REST API
37. 37
Database access: osc-domain
Only @Entity classes
JPA API & Apache Aries JPA
OSGi Transaction Control Service
Unidirectional dependency
osc-server
uber bundle
core
BL services Sync tasks
DB access
UI REST API
osc-domain
hibernate-core, h2databasehibernate-jpa-api
38. 38
User interface: osc-ui
New project: osc-service-api
UI views as DS components
OSGi managed views
osc-server
uber bundle
core
BL services Sync tasks
UI
REST API
osc-domain
osc-ui
osc-service-api
39. 39
REST API: osc-rest-server
Uses the osc-service-api
JAX-RS service classes
No more domain entity references
from the DTOs
New service APIs and DTOs
osc-server
uber bundle
core
BL services Sync tasks
REST API
osc-domain
osc-ui
osc-service-api
osc-rest-server
42. No…
42
Modularization, like good code, is an ongoing effort
There are multiple degrees of modularization.
– A gradual approach is recommended
– But don’t go back.
OSGi is not a magic wand, but makes the job possible
A monolith will only get
you so far. For a longer,
pleasant (and modular)
journey you will need
not only the right tools
and frameworks. The
right mindset is just as
important.
43. Thankyou!
Emanoel Xavier Senior Software Developer, Intel
Tim Ward CTO, Paremus
43
www.opensecuritycontroller.org
Come join our community!