How dorma+kaba leverages and deploys on CloudFoundry - CloudFoundry Summit Europe 2016
Free Yourself with CloudFoundry: A Private Cloud Experience
-
Upload
spring-io -
Category
Technology
-
view
925 -
download
0
description
Transcript of Free Yourself with CloudFoundry: A Private Cloud Experience
![Page 1: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/1.jpg)
© 2013 SpringOne 2GX. All rights reserved. Do not distribute without permission.
Free Yourself with Cloud FoundryA Private Cloud Experience
Mike Heath, Shawn Nielsen, Mike Youngstrom
![Page 2: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/2.jpg)
Disclaimer
This presentation does not represent the views, opinions,
policies, nor direction of The Church of Jesus Christ of
Latter-day Saints. These views are the sole views of the
presenters involved with the presentation. We take full
responsibility for content presented and any errors or
incorrect perception of representation.
![Page 3: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/3.jpg)
Description / Overview
• This presentation is about
our experience integrating
Cloud Foundry into our
organization.
• It is not a tutorial on how
to deploy CF.
![Page 4: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/4.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 5: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/5.jpg)
Business Problems
• 100s of small/medium apps
• Difficult to manage infrastructure for so
many apps
• More interested in fault tolerance over
scale for most apps
• Slowness in provisioning time
![Page 6: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/6.jpg)
The PaaS Team
• 2 ½ Developers
• ½ Manager
• 3 Operations personnel
• Passion for efficiency
![Page 7: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/7.jpg)
Current State
• Currently in beta
– Moving to enterprise ready in Q4
• Good feedback so far
• Applications
– 4 production
– 14 development
![Page 8: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/8.jpg)
Why we went with PaaS
• Developer productivity
• Fault tolerant and scalable
• Simplification of infrastructure
• Consistent deployments across runtimes
• Self-service
![Page 9: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/9.jpg)
Why Cloud Foundry?
![Page 10: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/10.jpg)
Other Reasons for Cloud Foundry
• Infrastructure agnostic
– Avoids vendor lock-in
• Public/private
• Cloud on cloud
– PaaS running on an IaaS cloud
![Page 11: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/11.jpg)
Other Reasons We Love Cloud Foundry
• Open source
– Ability to adapt Cloud Foundry to our needs
– Community involvement
• Architecture
– Good architecture sells itself
![Page 12: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/12.jpg)
Overview of Environment
• vSphere
• F5 (load balancer)
• Oracle
• LDAP
• Proxy based SSO
• Primarily Java+Spring shop
– Starting to see some NodeJS
![Page 13: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/13.jpg)
Cloud Foundry Adoption Challenges
![Page 14: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/14.jpg)
Cloud Foundry Adoption Challenges
• Convincing the systems engineers
– VM centric world to app centric world
![Page 15: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/15.jpg)
Network Zoning and Firewalls
• Network firewalls
• Transition to host / app firewalls
![Page 16: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/16.jpg)
Network Firewalls
![Page 17: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/17.jpg)
Host / App Level Firewalls
![Page 18: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/18.jpg)
Cost Challenges
• Current costs and billing models
– Multi-year bill-out
• How do you know what you’re going to use in 4 years?
You don’t!
![Page 19: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/19.jpg)
Quota and Utilization Bill-back
Know your bill
$25 per GB RAM per month
Know your usage
![Page 20: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/20.jpg)
Trade-in Model
![Page 21: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/21.jpg)
Organizational Efficiencies
![Page 22: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/22.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 23: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/23.jpg)
Billing and Usage Through CC APIs
CloudController API:
url: "/v2/quota_definitions/36673f76-c617-4ae8-94b9-7adccb747ced”
entity: {
name: "Enterprise Management Organization - Quota“
non_basic_services_allowed: false
total_services: 100
memory_limit: 40960
trial_db_allowed: false
}
![Page 24: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/24.jpg)
Custom UI
• Just like everyone else…we have our own UI.
• Why?
– No standard UI available. Though several community UIs on
their way.
– No way to do access management through CF. Why Not?
– Management of quotas for organizations
– Give management something visual to look at
![Page 25: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/25.jpg)
Cloud Foundry APIs
CC URL: /v2/organization/<guid>
entity: {
name: “MySpringOrganization"
quota_definition_url: "/v2/quota_definitions/<guid>
spaces_url: "/v2/organizations/<guid>/spaces”
domains_url: "/v2/organizations/<guid>/domains”
users_url: "/v2/organizations/<guid>/users”
managers_url: "/v2/organizations/<guid>/managers”
auditors_url: "/v2/organizations/<guid>/auditors”
app_events_url: "/v2/organizations/<guid>/app_events”
}
![Page 26: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/26.jpg)
![Page 27: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/27.jpg)
s
![Page 28: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/28.jpg)
Key Performance Indicator (KPI) Data
![Page 29: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/29.jpg)
Quota
state: "RUNNING"
stats: {
uptime: 984643
mem_quota: 536870912
disk_quota: 1073741824
fds_quota: 16384
}
Live Usage
usage: {
time: "2013-09-10 02:05:27”
cpu: 0.0007454006633748
mem: 211116032
disk: 116498432
}
Cloud Foundry APIsCC URL: /v2/apps/<guid>/stats
![Page 30: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/30.jpg)
Operations Center
![Page 31: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/31.jpg)
UI Demo
![Page 32: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/32.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 33: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/33.jpg)
Gaps
![Page 34: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/34.jpg)
Authentication
![Page 35: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/35.jpg)
Diagnostics
![Page 36: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/36.jpg)
Enterprise Services and Legacy
![Page 37: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/37.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 38: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/38.jpg)
Deployment
• Use BOSH– Fork cf-release
– Proxy?
• Environments:– X Dev
– 1 Test
– 1 Prod
• Customers only use prod
• Break deployments into pools– Core
– DEA/Router-X
![Page 39: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/39.jpg)
Development
• Dev is prod but smaller– Use BOSH
– vSphere
– F5
– SSL – kind of
• Develop on component?– `bosh stop` existing component
– Configure local component in place
• Other options– Vagrant?
– Warden CPI?
![Page 40: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/40.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 41: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/41.jpg)
Customizing Authentication
• UAA & Login
– Java Spring + Spring Security
• Customized UAA
– Added UAA to src release
– Added spring config
• Login Server
– May re-visit
![Page 42: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/42.jpg)
Buildpack Customization
• Vital extension point
• Support for legacy artifacts
• Just fork and tweak
– Proxies
– Oracle support for Node
– Pre-processed `npm install`
– Add JMX support
![Page 43: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/43.jpg)
Problem: Diagnostics
• Need:– Thread dumps
– Heap dumps
– Remote debug
– APM
• Current story? Not good– Logging
– Console port???
– Debug port???
![Page 44: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/44.jpg)
Solution: Caldecott?
• Use console and debug ports
• Caldecott
– TCP over HTTP proxy
– Inter-app communication
• Diagnostic
– Router/gateway/server
![Page 45: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/45.jpg)
Solution: Diagnostics Server
Dev Workstation
Diagnostic Server
UAA/Cloud Controller
DEA
Warden
Request Proxy
Authorize Request
Proxy to DEA
Forward to Warden onDebug or Console Port
![Page 46: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/46.jpg)
Demo Remote Debug
![Page 47: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/47.jpg)
JMX
• JMX is great– Heap dumps
– Thread dumps
– Basic profiling
– Management operations
• JMX over RMI lacking– JMXMP to the rescue
• Configure JMX in buildpack– Bind to `console` port
• Created `cf` plugin to launch Visualvm
![Page 48: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/48.jpg)
JMX Demo
![Page 49: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/49.jpg)
Diagnostics Summary
• Caldecott
– Doesn’t work for us
• Diagnostic Server
• Safe customization?
– Removed ports
![Page 50: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/50.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 51: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/51.jpg)
Custom Services
• Integrate with existing systems
– LDAP, NFS/CIFS, Oracle, SSO,
Web Services, etc.
• New ‘user-provided’ service is not
adequate
– Will still work for most people
– We need more than a set of
key/value pairs
![Page 52: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/52.jpg)
Custom Services Built on Java and Spring
• We’re a Java shop.
• Java is more enterprise
friendly.
– Client libraries for existing
systems
• Our team consists of
Java/Spring developers.
![Page 53: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/53.jpg)
Custom Service Framework Features
• NATS Client
• Cloud Foundry utilities
– Type-safe NATS messaging
– PID file support for working with Monit/BOSH
– YAML config
• Cloud Controller client for invoking service APIs
• Service Broker
• Open source
– https://github.com/cloudfoundry-community/java-nats
– https://github.com/cloudfoundry-community/cf-java-component
![Page 54: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/54.jpg)
NATS Java Client
• NATS is the distributed pub/sub messaging system used
by Cloud Foundry.
• NATS support is essential for customizing Cloud Foundry.
• Java client
– Built using Netty
– Integrates with Spring
• Generic NATS client, nothing Cloud Foundry specific
![Page 55: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/55.jpg)
NATS Client Sample Code
// Connecting NATS to server
Nats nats = new NatsConnector()
.addHost("nats://localhost")
.connect();
// Simple subscriber
nats.subscribe("foo", (message) -> {
System.out.println("Received: " + message);
});
// Simple publisher
nats.publish("foo", "Hello world!");
![Page 56: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/56.jpg)
NATS Client Spring Integration
<nats:nats>
<nats:url>nats://localhost:4222</nats:url>
</nats:nats>
@EnableNatsAnnotations
@Configuration
public class Configuration {
@Subscribe("foo")
public void onMessage(Message message) {
System.out.println(message);
}
}
![Page 57: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/57.jpg)
Spring Boot/NATS Example
• NATS to HTTP Gateway
– Using Spring Boot
– Single Java source file
– Less-than 75 lines of Java (including import statements.)
https://github.com/mheath/spring-boot-nats-example
![Page 58: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/58.jpg)
Cloud Foundry Specific NATS (cf-nats)
• Simplifies using NATS with Cloud Foundry
• Type-safe NATS messaging
– Component discovery
– Router registration
– Staging notifications
• Still a work in progress
https://github.com/cloudfoundry-community/cf-java-component/tree/master/cf-nats
![Page 59: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/59.jpg)
PID File
• Support for creating .pid file at Spring context initialization
• Useful for working with Monit
– BOSH uses Monit
<cf:pid-file resource=“file:/var/run/component/my-cf-component.pid” />
![Page 60: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/60.jpg)
YAML Configuration
• Existing Cloud Foundry components use YAML for
configuration.
• YAML is cool.
• We provide Spring integration for using YAML.
– XML configuration for loading YAML as properties.
– Java configuration for using YAML is a Spring
PropertySource.
![Page 61: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/61.jpg)
Service Broker Framework
• Enables creating custom services
• Creating service broker requires implementing a single
Java interface
• Simple Cloud Controller client for invoking service APIs
• Provides APIs for automatically registering with Cloud
Controller
![Page 62: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/62.jpg)
Example Service Broker
• Built on Spring Boot
• http://github.com/cloudfoundry-community/java-service-
broker-example
![Page 63: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/63.jpg)
Example Service Broker Demo
![Page 64: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/64.jpg)
Oracle Service Demo
![Page 65: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/65.jpg)
Custom Oracle Service
• Prompts for: service name, schema/user, password
• Produces credentials:"credentials“ : {
"schema":"CF_DEV2",
"ldap“ : {"host":“fake-ldap.lds.org", "port":389, "context":"cn=OracleContext…"},
"firewall":[{"port":1234,"host":“oracle-scan-host”}…],
"descriptor":"(DESCRIPTION=(ADDRESS_LIST=…",
"alias":“DB-DEV2",
"service":“service134",
"addresses":[{"host":“oracle-scan-host","port":"1234"}],
"jdbcUrl":"jdbc:oracle:thin:@ldap://fake-ldap/DB-DEV2,cn=OracleContext,…",
"password":"super-secret-password"}}
![Page 66: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/66.jpg)
Custom Service Creation Workflow
`cf` client
Service Broker
Cloud Controller
cf plugin prompts
for service data
cf plugin sends data
to broker (host:
‘foo’, port: 1234)
cf creates service
Cloud Controller tells broker
to create service instance.
Broker correlates service data
originally sent by cf plugin and
returns service credentials to
Cloud Controller.
Holds service data
(host: ‘foo’, port 1234)
![Page 67: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/67.jpg)
Presentation Roadmap
• Why we chose Cloud Foundry?
• Cloud Foundry APIs in a UI
• Gap analysis
• Develop and deploy
• Authentication & diagnostics
• Custom services
• Application level firewalls
![Page 68: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/68.jpg)
Firewall Requirements
• Proxy based SSO requires control over incoming requests
• Minimize attack vectors from compromised/malicious apps
– Limit access to console and debug ports
• Allow access to high risk network zones
• Auditability – What network resources does each app
have access to?
• Minimize customization of Cloud Foundry
![Page 69: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/69.jpg)
Proxy Based Single Sign-On (SSO)
![Page 70: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/70.jpg)
Warden
• Used by DEA to securely host applications
• Applications run with a “Warden Container”
• Warden Containers isolate resources– Network
– Disk
– Memory
• Think of a Warden Container as a “lightweight VM.”
![Page 71: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/71.jpg)
Controlling Incoming Requests
• Load Balancer and Cloud Foundry routers easily secured.
• Securing requests to Warden Containers more difficult
– Need to allow incoming requests from routers
– Disallow outgoing requests directly to routers
• Cloud Foundry scales dynamically
– Routers can be added/removed from the system at any time
– Changing static configuration of all DEAs when router is
added or removed is unacceptable
![Page 72: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/72.jpg)
Custom DEA Incoming Firewall
• Configure Warden to drop all incoming and outgoing
packets
• Customized DEA to track Cloud Foundry routers
– Routers already broadcast presence via NATS
– Use existing NATS messages to build router registry
• Warden uses `iptables` to isolate network resources
– `iptables` are Linux kernel level network rules
– Our firewalls piggybacks on Warden’s `iptables` rules
![Page 73: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/73.jpg)
Custom DEA Outbound Firewall
• Service credentials
embed firewall rules
• Use Warden API to
open firewall holes
• Facilitated by custom
services
"credentials" : {
...
"firewall" : [{
"network" : "10.118.50.0/24",
"port" : 8080
}]
}
![Page 74: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/74.jpg)
Securing Outbound HTTP
• Problems– Single IP address can host
multiple web sites/applications
– Public web services often have large pool of IP addresses that can change over time
• Solution – HTTP proxy for hostname validation
• Custom service firewall rules enables access to the HTTP proxy
"credentials" : {..."firewall" : [{“http" : “http://www.google.com"}]}
![Page 75: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/75.jpg)
Http Proxy Firewall Workflow
HTTP Proxy
DEA
Warden Proxies HTTP requests
Network Firewall
Intranet
Internet
![Page 76: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/76.jpg)
Summary
• Cloud Foundry is awesome!
• Cloud Controller APIs make creating a UI easy.
• Cloud Foundry authorization customization is maturing.
• Diagnostics need work. Our solution was promising.
• You can create services in Java.
• We isolate our applications in app firewalls
![Page 77: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/77.jpg)
Questions?
![Page 78: Free Yourself with CloudFoundry: A Private Cloud Experience](https://reader034.fdocuments.us/reader034/viewer/2022051513/5455f736b1af9f39378b4c1f/html5/thumbnails/78.jpg)
Citation references• Cloud picture (slide 3) Copyright 2007, Karin Dalziel. Creative Commons licensed.
• Snail picture (slide 4) Copyright 2013, Eirien (Ilweranta). Create Commons licensed.
• Wrench photo (slide 5) Copyright 2009, zzpza. Creative Commons licensed.
• Building photo (slide 10) Copyright 2010, Ricardo Diaz. Creative Commons licensed.
• Lightening road screen do not enter picture (slide 12) Copyright 2008, Bobby. Creative Commons licensed.
• Gap (slide 28) Copyright 2013, Upupa4me. Creative Commons licensed.
• “Key Note” (slide 29) Copyright 2009, William Neuheisel. Creative Commons licensed.
• “Angry Computer Support Worker Baning His Fists On His Desk” (slide 30) Copyright 2010, jfcherry. Creative Commons licensed.
• “24 Hour Service” (slide 31) Copyright 2008, Natalie Maynor. Creative Commons licensed.
• “Launch of Atlas V TDRS-K from Cape Canaveral AFS” (slide 32) Copyright 2013 NASA Goddard Space Flight Center. Creative Commons licsened.
• “American Architect, 1909” (Slide 33) Copyright 2011 REVIVALthedigest. Creative Commons licensed.
• “Keys” (Slide 34) Copyright 2005 mmarchin. Create Commons licensed.
• “Lego building” (Slide 35) Copyright 2006 Matt Bateman. Creative Commons licensed.
• “Heavy Metal: TDK MA-R90 Cassette Tape” (Slide 39) Copyright 2012 Scott Schiller. Creative Commons licensed.
• “Tunnel” (Slide 41) Copyrigh 2010 Dushan Hanuska. Creative Commons licensed.
• “Roadside Service” (Slide 42) Copyright 2012 Pam Morris. Creative Commons licensed.
• “Typical Prison Guard” (Slide 60) Copyright 2009 Son of Groucho. Creative Commons licensed.