Back to the future (of OpenShift)

I started this blog originally for just sort of writing down random stuff I tried or discovered. It morphed over time into very rare posts along the lines of “I just spent a week figuring this out, let me write it down to save everyone else the trouble”.

Well, OpenShift Enterprise 2.2 is out the door, and that will be in maintenance mode while we work on version 3. Just when I felt like I knew something about v2, it’s time to return to being a dunce because the world has been upended for v3. So maybe it’s time to return to stumbling around and writing down what happens.

Everything old is new ag…. no, wait:

Everything new is really, really new

Approximately nothing from OpenShift v2 will survive recognizably in v3. It will be as different as systemd is from sysv, as different as Linux is from Windows, as different as solar energy is from the Hoover dam. Here’s what’s on my hit list to get up to speed on (let me know what I missed):

RHEL 7 / Atomic

OSE 2 runs on RHEL 6. About the time Fedora 20 and Ruby on Rails 4 came out, it became evident that trying to make it span RHEL 6 and newer platforms was going to be way more trouble than we wanted. We gave up on that and left Origin users to run on CentOS 6 rather than try to keep including Fedora.

This brings some good things, though. Managing dependencies for OSE 2 on RHEL 6 has been a bit of a nightmare. All signs point to that going away completely for v3. As in, you might not even need yum at all. If the eventual platform we recommend is Atomic, platform updates will be whole-system run via rpm-ostree (AKA atomic). If so, then I’ll need to know about that distribution mechanism. If not, it still looks like there will be a lot less to install and configure on the actual OS.

So:

  • rpm-ostree / atomic
  • systemd – have to understand more than just “systemctl enable foo; systemctl start foo” – how to define services, how daemons are spun off and monitored, where logs go…
  • firewalld – is this just a frontend to iptables?
  • btrfs?

go

go is the new hotness. Ruby on Rails is old and broken. OK, not old and broken, but docker, kubernetes, etcd, and the OpenShift layer on top are all go-based. Fortunately I used C all through college… picking up go doesn’t look difficult, should be fun.

golang vs gcc-go – the former is what most are using, the latter gets us more supported platforms if it works with the codebase.

Docker

Docker will be replacing our homegrown containers. It’s a formalization of a lot of the same concepts – creating and containing processes with regards to network, file access, resource usage, etc. Some questions for me to get through:

  • How do I get files into/out of a container? Bind mounts, other kinds of mounts, …? What happens when it goes away?
  • What exactly happens with exposing container networking?
  • How does SELinux contain a Docker container?
  • How do cgroups contain a Docker container in RAM/CPU/etc?
  • How do I control what user runs the processes in a container?
  • How does UnionFS compose multiple containers?
  • How do I configure where images come from?
  • How do I figure out what went wrong after one exits and goes away?

… and a million other things.

Kubernetes

Kubernetes is one orchestration layer on top of Docker. It will handle things like ensuring you have the expected number of copies of an image running across the various hosts on the cluster, and providing a proxy (aka “service”) for reaching them at a stable location.

Kubernetes introduces the concept of “pods” which are essentially just related containers running together on a host and sharing resources. As far as OpenShift is concerned, pods will likely only ever have a single container and thus be synonymous, but the terminology is there nonetheless. Do not confuse “pods” with “apps” (which are also composed of containers, but potentially spread across multiple hosts).

Things to learn:

  • Kubernetes masters present a REST API, so need to know that a bit.
  • How are multiple kubernetes masters synchronized? Just via entries in etcd, or more directly?
  • How do kubernetes masters communicate with minions (kubelets)?
  • How do services/replication masters determine whether a container/pod is working or not?

etcd

Distributed key-value store. I’m not sure why we needed another one, but it seems that it’s going to be the store for lots of critical stuff. Which critical stuff? Good question, probably not *all* of it… What else might we use for a data store?

Aside from the general capabilities of etcd, I need to learn how to cluster and shard them, and how the RAFT consensus synchronizer works (or when it doesn’t work).

OpenShift v3

Of course, this is going to add a further layer on top of Kubernetes, a layer to define apps and user access to them. A lot of it is still in pretty early stages, e.g. there’s not really any concept of users or access controls yet. That’ll change.

  • REST API (parallel but separate from Kubernetes)
  • Building container layers from source code
  • Deployment strategies
  • How does OpenShift influence the placement algorithm with parallels for the scaled/HA apps, zones, and regions of v2?
  • What does the routing layer look like? (We aren’t simply going to expose Kubernetes services) Good gracious, the networking looks to be complicated for this.
  • How will we define and mount storage for use by containers / apps?

Angular.js web console

Having a web application server is so last year (or maybe decade?). The data is all available from REST APIs… now your web app can just be static pages with a ton of JavaScript doing all the work on the client side. This replaces the OpenShift v2 web console app. At least it’s one less service to keep running, and you won’t need to hit “reload” all the time to watch things changing.

Is anything staying the same?

Technology-wise, nothing is staying the same. Get ready for that (I’ve marveled that the rest of the team could pivot so quickly). But we’ve spent a few years now building a PaaS, and of course there are certain patterns that are going to pop up no matter what technology we use. Despite all the technology changes, those same issues are probably what we’ll be beating our heads against, and where hopefully our previous experience will help OpenShift prevail.

Infrastructure, nodes, and routing

OpenShift will probably constitute the infrastructure only – the apps will actually run on hosts that run Linux, Docker, and kubelets. But the general pattern will remain – an orchestration interface, a cluster of compute nodes, and routing layer to reach them.

Composing apps

Apps will still be put together from several components – potentially several containers (I don’t think we’ll call them gears), each potentially composed of some kind of framework plus some of your code. Defining and wiring these together will be the core of what OpenShift continues to do.

Access control

We’re still going to have users. There will still be teams. There may be more layers (e.g. probably admins, “utility” users). It will still be necessary to define things that those users and teams can access. And it will still be necessary to interface with the various ways in which enterprises already define users, groups, authentication, and authorization (Kerberos, LDAP, …).

Proxies (AKA layers of indirection)

In OpenShift v2, there are a number of ways in which your request to an app can actually reach the thing that answers the request, often going through multiple proxies. In perhaps the most complicated case, with an HA app setup, you lookup the app by name (DNS itself consists of several layers of indirection) and reach the external routing layer, which forwards to a node host routing layer, which forwards to a load-balancing gear layer, which forwards to another node’s port proxy, which finally forwards to the application server running in a gear. V3 will differ in the details, but not the pattern.

These proxies don’t exist just to peel back layers of the onion; each point provides an opportunity to hide complicated behavior behind a simple facade. For example:

  • DNS records provide all sorts of routing opportunities, including directing the user to a data center that’s available and geographically close to them.
  • A routing layer can monitor multiple endpoints of the application such that outages are detected and requests are directed to functioning endpoints. These can also hide the fact that gears are being moved, rolling deployments, etc.
  • The node host routing layer can hide the fact that a gear was actually idle when a request arrived, bringing it up only when needed and conserving resources otherwise.
  • The load-balancing gear layer balances traffic and implements sticky sessions.

As you can see, proxies are actually where a lot of the “magic” of a PaaS happens, and you can expect this pattern to continue in v3.

Advertisements