4Developers 2015: Under the dome (of failure driven pipeline) - Maciej Lasyk

1. Under the dome (of failure driven pipeline) Maciej Lasyk 4developers – Warsaw 2015-04-20

2. Join Fedora Infrastructure! - learn Ansible - learn Docker with Fedora Dockerfiles http://fedoraproject.org/en/join-fedora

3. Agenda? Don't run away ;)

4. […] Situations like this only reinforce my deep suspicion of developers: They're often carelessly breaking things and then disappearing, leaving Operations to clean up the Mess. […] “The Phoenix Project” by Gene Kim, Kevin Behr and George Spafford

8. Conway's law (1968) organizations which design systems ... are constrained to produce designs which are copies of the communication structures of these organizations http://en.wikipedia.org/wiki/Conway%27s_law

9. Ruth Malan (2008) if the architecture of the system and the architecture of the organization are at odds, the architecture of the organization wins. The organizational divides are going to drive the true seams in the system. http://traceinthesand.com/blog/2008/02/13/conways-law/

10. Yup, you're gut is telling truth...

11. Yup, you're gut is telling truth... This will be another devops indoctrination

12. Yup, you're gut is telling truth... This will be another devops indoctrination What did you expect? ;)

13. Yup, you're gut is telling truth... This will be another devops indoctrination What did you expect? ;) This presentation includes gentle product placement

14. Yup, you're gut is telling truth... This will be another devops indoctrination What did you expect? ;) This presentation includes gentle product placement

15. DevOps Anti-Types & patterns This is a copy/paste from http://blog.matthewskelton.net/ w/my comments included Great job Matthew! Thanks!

16. DevOps Anti-Types http://blog.matthewskelton.net/2013/10/22/what-team-structure-is-right-for-devops-to-flourish/

19. DevOps Patterns http://blog.matthewskelton.net/2013/10/22/what-team-structure-is-right-for-devops-to-flourish/

24. Ok let's CAMS

25. DevOPS ?== CAMS (culture, automation, measurement, sharing)

26. DevOPS !== CAMS DevOPS === people!

27. People culture automation measurement sharing

28. C for Culture A for Automation M for Monitoring S for Sharing

31. Is there a need for change? “agile” and “cloud”: → focus on delivery → close collaboration → lightweight environment and components

32. cultural change modification of a society through innovation, invention, discovery, or contact with other societies

33. Dead sea effect → most talented evaporates → the residue → maintenance experts & bus factor == 1 http://brucefwebster.com/2008/04/11/the-wetware-crisis-the-dead-sea-effect/

34. → talk. often. and get along → take responsibility - from beginning to the end → continuous improvement. seriously → be brave. don't be silent → it's better to be unpolite l/German than polite l/Englishman

35. GTD? (getting things done)

36. GTD? (getting things done) JFDI? (just fuckin' do it)

37. GTD? (getting things done) JFDI? (just fuckin' do it) MFBT? (move fast, break things)

38. GTD + JFDI + MFBT = FCH

39. GTD + JFDI + MFBT = FCH (Fuckin' Customer Happy)

42. Automation is big for most sysadmins. We’re inherently lazy, so the idea of pushing a button and making programs work for us? Appealing. Standalone Sysadmin http://www.standalone-sysadmin.com/blog/2011/04/view-from-the-other-side/

43. → it has to be simple → don't reinvent the wheel. don't fabric → automate from very beginning

44. → repeatable tasks leads to automation

45. → repeatable tasks leads to automation → automation leads to consistency

46. → repeatable tasks leads to automation → automation leads to consistency → consistency reduces errors

47. → repeatable tasks leads to automation → automation leads to consistency → consistency reduces errors → reducing errors leads to stable environment

48. → repeatable tasks leads to automation → automation leads to consistency → consistency reduces errors → reducing errors leads to stable environment → stable environment leads to less unplanned work

49. → repeatable tasks leads to automation → automation leads to consistency → consistency reduces errors → reducing errors leads to stable environment → stable environment leads to less unplanned work → less unplanned work leads to focus on delivery

50. Remember? http://blog.matthewskelton.net/2013/10/22/what-team-structure-is-right-for-devops-to-flourish/

51. Short story of Anti-Type C “we don't need ops” # it's madness with paths for different users and such option as: # sudo su # sudo -i # su - # su # that is why we add variables to two places ENVIRONMENT_FILE = '/etc/environment' PROFILE_FILE = '/etc/profile' INITIAL_PATH = '/usr/local/bin:/usr/bin:/bin' # due to sudo issues (resetting PATH by /etc/sudoers) # we have to add PATH to /root/.profile as well

52. Short story of Anti-Type C “we don't need ops” # it's madness with paths for different users and such option as: # sudo su # sudo -i # su - # su # that is why we add variables to two places ENVIRONMENT_FILE = '/etc/environment' PROFILE_FILE = '/etc/profile' INITIAL_PATH = '/usr/local/bin:/usr/bin:/bin' # due to sudo issues (resetting PATH by /etc/sudoers) # we have to add PATH to /root/.profile as well

53. Short story of Anti-Type C “we don't need ops” Shells: → login → non-login → interactive → non – interactive

54. Short story of Anti-Type C “we don't need ops” Shells: → login → non-login → interactive → non – interactive → su → sudo su: interactive, non-login, .bashrc → sudo su -: interactive, login, /etc/profile;/root/.profile;/root/.bashrc → sudo -i: interactive, login, /root/.profile;/root/.bashrc;/root/.login → sudo /bin/bash: interactive, non-login, ~/.bashrc → sudo -s: reads $SHELL and executes it

60. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #download if necessary url = "http://.../libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) sudo("dpkg -i %s" % store_file_path)

61. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" /etc/issue maybe? def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #download if necessary url = "http://.../libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) sudo("dpkg -i %s" % store_file_path)

63. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): ldconfig maybe? print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #download if necessary url = "http://.../libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) sudo("dpkg -i %s" % store_file_path)

65. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian What about RHEL, Fedora, Slackware, Gentoo? if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #downl. if necessary So whole this is for particular distro version? url = "http://.../libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) sudo("dpkg -i %s" % store_file_path)

66. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #downl. if necessary url = "http://libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) sudo("dpkg -i %s" % store_file_path)

67. def is_ubuntu(): return run("uname -a | grep Ubuntu | wc -l") == "1" def install_apache_fix(): if is_ubuntu(): if exists("/lib/x86_64-linux-gnu/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: sudo("apt-get -y install libssl0.9.8") else: #Debian if exists("/usr/lib/libssl.so.0.9.8"): print "libssl.so.0.9.8 already installed - SKIPPING" else: #downl. if necessary url = "http://libssl0.9.8_0.9.8o-squeeze14_amd64.deb" if download.sync_opt_download(_download_libssl_lock, url, store_file_path): sudo('chmod ug+x %s' % store_file_path) # declarative madness sudo("dpkg -i %s" % store_file_path)

68. Imperativeness vs declarativeness

69. Imperativeness vs declarativeness def configure(dst_dir, config_properties, installer_file): _copy_conf_file(dst_dir, properties) def _copy_conf_file(dst_dir, properties): sudo("cp %s %s" % (srcConfigPath, targetConfigPath)) change_directory_owner(targetConfigPath) sudo('chmod ug+x %s' % store_file_path) - name: configure this hosts: all tasks: - name: copy conf file file: > src={{ some_source }} dest={{ some_destination }} perms=0750

70. Imperativeness vs declarativeness def configure(dst_dir, config_properties, installer_file): _copy_conf_file(dst_dir, properties) def _copy_conf_file(dst_dir, properties): sudo("cp %s %s" % (srcConfigPath, targetConfigPath)) change_directory_owner(targetConfigPath) sudo('chmod ug+x %s' % store_file_path) - name: configure this hosts: all tasks: - name: copy conf file file: > src={{ some_source }} dest={{ some_destination }} perms=0750

72. → flat learning curve

73. → flat learning curve → doesn't required additional resources

74. → flat learning curve → doesn't required additional resources → fit for maintenance jobs / procedures

75. → flat learning curve → doesn't required additional resources → fit for maintenance jobs / procedures → great for any containers as non-daemon

76. → flat learning curve → doesn't required additional resources → fit for maintenance jobs / procedures → great for any containers as non-daemon → deals with “deployment specs”

77. → flat learning curve → doesn't required additional resources → fit for maintenance jobs / procedures → great for any containers as non-daemon → deals with “deployment specs” → might be easily adopted as universal language

80. →selinux enforcing i -rw-r--r--. stash stash unconfined_u:object_r:mysqld_db_t:s0 authorized_keys →/etc/ssh/sshd_config && /etc/network/interfaces → iptables-save nope? → broken _netfs ?

84. What if... → ./configure && make && make install → .zip → Dev & Ops have 2 different build & installation methods? Plz.. → pkg repos (or Nexus) → use fpm for creating pkgs if needed (demo)

87. → make developers create monitoring → find yourself between RRD and InfluxDB → will product team be able to query your monitoring DB? → Etsy case (Ganglia / Graphite)

92. → learn on OPS mistakes → Major Incident Reports – source of improvement → Learn developers about change management → Make CM an easy process. Use simple tools.

96. Let's arch the infrastructure

97. Addressing the space → VLSM → DHCP & DDNS → KISS: flat networks! → stop /24!

102. What about DNS? → BIND roxx (views etc) → KISS: maybe decentralized w/Ansible?

103. view "internal-view" { match-clients { internal; }; recursion yes; zone "lasyk.info" IN { type master; file "internal.lasyk.info.conf"; allow-transfer { any; } }; view "external-view" { match-clients { any; }; recursion no; zone "lasyk.info" IN { type master; file "external.lasyk.info.conf"; allow-transfer { none; }; };

104. view "internal-view" { match-clients { internal; }; recursion yes; zone "lasyk.info" IN { type master; file "internal.lasyk.info.conf"; allow-transfer { any; } }; view "external-view" { match-clients { any; }; recursion no; zone "lasyk.info" IN { type master; file "external.lasyk.info.conf"; allow-transfer { none; }; };

106. Linux Containers = namespaces + cgroups + storage Linux containers equation

107. Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior control groups (cgroups)

108. →grouping processes →allocating resources to particular groups →memory →network →CPU →storage bandwidth (I/O throttling) →device whitelisting control groups (cgroups)

115. little demo? control groups (cgroups)

116. Providing a unique views of the system for processes. → PID – PIDs isolation → NET – network isolation (via virt-ifaces; demo) → IPC – won't use this → MNT – chroot like; deals w/mountpoints → UTS – deals w/hostname Kernel Namespaces

123. little demo? Kernel Namespaces

124. → hell fast (you'll see) → page cache sharing → finally in upstream kernel (in rhel from 7.2) → finally supported by docker (-s overlay) → SELinux not there yet (but will be) OverlayFS

129. http://developerblog.redhat.com/2014/09/30/overview-storage-scalability-docker/ OverlayFS

132. Developers' envs? → use containers! → configure cgroups → use LXC / LXC Web Panel → use Ansible for spinning up anything!

137. Containers embraces granularity → microservices!

138. Containers embraces granularity → microservices! Watch out for microservices architecture, or...

139. Containers embraces granularity → microservices! Watch out for microservices architecture, or...

141. Who knows FHS?

142. Who knows FHS? → 'temp' – what it consist?

143. Who knows FHS? → 'temp' – what it consist? → actually: “This Entity Must Persist” ;)

144. Who knows FHS? → 'temp' – what it consist? → actually: “This Entity Must Persist” ;) → Define your FHS!

145. Mikado Method for the win! → set a goal → experiment → visualize → rollback

149. Mikado Method for the win! → before any work and rollbacks.. → remember: monitoring & tests are your friends! → think about testing strategy – think heatmaps!

150. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)!

151. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)! repo2 Layer 2: VM Networking Container's engine & provisioning repo2

152. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)! repo2 Layer 2: VM Networking Container's engine & provisioning repo2 Network interfaces Storage mounts repo2

153. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)! repo2 Layer 2: VM Networking Container's engine & provisioning repo2 Network interfaces Storage mounts repo2 Layer 3: container Application build Application env repo3

154. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)! repo2 Layer 2: VM Networking Container's engine & provisioning repo2 Network interfaces Storage mounts repo2 Layer 3: container Application build Application env repo3 Resources allocation repo3

155. Ansible & infra layers Layer 1: bare metal, Layer 2: VM Layer 3: container Networking Hypervisor + VM provisioning Storage Networking Container's engine & provisioning Application build Application env Network interfaces Storage mounts Resources allocation repo1 repo2 repo3 Much simpler w/one, flat network (for small envs)!

156. → automated service discovery and registration framework → ideal for SOA architectures → ideal for continuous integration & delivery → solves “works on my machine” problem SmartStack

157. → automated service discovery and registration framework → ideal for SOA architectures → ideal for continuous integration & delivery → solves “works on my machine” problem SmartStack haproxy + nerve + synapse + zookeper = smartstack

158. Synapse → discovery service (via zookeeper or etcd) → installed on every node → writes haproxy configuration → application doesn't have to be aware of this → works same on bare / VM / docker → https://github.com/airbnb/nerve SmartStack

159. SmartStack

160. Nerve → health checks (pluggable) → register service info to zookeper (or etcd) → https://github.com/airbnb/synapse SmartStack

161. SmartStack

162. SmartStack

163. Smartstack + Docker = <3

164. Smartstack + Docker = <3 but also remember about Consul (come to #dockerkrk 2 meetup!)

165. questions?

166. Archaeological workshop

167. Archaeological workshop → nmap, tcpdump, lsof, strace, sysdig, sar → cgroups throttling on-the-fly Do we have time for demo?

168. Hardware: disks? → RAID5 vs RAID10 → Howto RAID over 1 disk ;) → Cheap SSD drives?

171. http://techreport.com/review/27909/the-ssd-endurance-experiment-theyre-all-dead

172. Why use LVM? → indexation (capacity, inodes check) → capacity planning / iops per mount

173. Under the dome (of failure driven pipeline) Maciej Lasyk 4developers – Warsaw 2015-04-20

4Developers 2015: Under the dome (of failure driven pipeline) - Maciej Lasyk

More Related Content

Viewers also liked (14)

Similar to 4Developers 2015: Under the dome (of failure driven pipeline) - Maciej Lasyk (20)

Recently uploaded (20)

4Developers 2015: Under the dome (of failure driven pipeline) - Maciej Lasyk