Why did your mom care about underwear? She wanted you to have good hygiene. What is good Ops hygiene? It’s not as simple as keeping up with the laundry, but the idea is similar. It means that we’re not going to get surprised by something in our environment that we’d taken for granted. It means that we have a fundamental level of control to keep clean. Let’s explore this in context.
I’ve struggled with the term “underlay” for infrastructure of a long time. At RackN, we generally prefer the term “ready state” to describe getting systems prepared for install; however, underlay fits very well when we consider it as the foundation for a more building up a platform like Kubernetes, Docker Swarm, Ceph and OpenStack. Even more than single operator applications, these community built platforms require carefully tuned and configured environments. In my experience, getting the underlay right dramatically reduces installation challenges of the platform.
What goes into a clean underlay? All your infrastructure and most of your configuration.
Just buying servers (or cloud instances) does not make a platform. Cloud underlay is nearly as complex, but let’s assume metal here. To turn nodes into a cluster, you need setup their RAID and BIOS. Generally, you’ll also need to configure out-of-band management IPs and security. Those RAID and BIOS settings specific to the function of each node, so you’d better get that right. Then install the operating system. That will need access keys, IP addresses, names, NTP, DNS and proxy configuration just as a start. Before you connect to the wide, make sure to update to your a local mirror and site specific requirements. Installing Docker or a SDN layer? You may have to patch your kernel. It’s already overwhelming and we have not even gotten to the platform specific details!
Buried in this long sequence of configurations are critical details about your network, storage and environment.
Any mistake here and your install goes off the rails. Imagine that your building a house: it’s very expensive to change the plumbing lines once the foundation is poured. Thankfully, software configuration is not concrete but the costs of dealing with bad setup is just as frustrating.
The underlay is the foundation of your install. It needs to be automated and robust.
The challenge compounds once an installation is already in progress because adding the application changes the underlay. When (not if) you make a deploy mistake, you’ll have to either reset the environment or make your deployment idempotent (meaning, able to run the same script multiple times safely). Really, you need to do both.
Why do you need both fast resets and component idempotency? They each help you troubleshoot issues but in different ways. Fast resets ensure that you understand the environment your application requires. Post install tweaks can mask systemic problems that will only be exposed under load. Idempotent action allows you to quickly iterate over individual steps to optimize and isolate components. Together they create resilient automation and good hygiene.
In my experience, the best deployments involved a non-recoverable/destructive performance test followed by a completely fresh install to reset the environment. The Ops equivalent of a full dress rehearsal to flush out issues. I’ve seen similar concepts promoted around the Netflix Chaos Monkey pattern.
If your deployment is too fragile to risk breaking in development and test then you’re signing up for an on-going life of fire fighting. In that case, you’ll definitely need all the “clean underware” you can find.
The RackN team has been working on making DevOps more portable for over five years. Portable between vendors, sites, tools and operating systems means that our automation needs be to hybrid in multiple dimensions by design.
Why drive for hybrid? It’s about giving users control.
I believe that application should drive the infrastructure, not the reverse. I’ve heard may times that the “infrastructure should be invisible to the user.” Unfortunately, lack of abstraction and composibility make it difficult to code across platforms. I like the term “fidelity gap” to describe the cost of these differences.
What keeps DevOps from going hybrid? Shortcuts related to platform entangled configuration management.
Everyone wants to get stuff done quickly; however, we make the same hard-coded ops choices over and over again. Big bang configuration automation that embeds sequence assumptions into the script is not just technical debt, it’s fragile and difficult to upgrade or maintain. The problem is not configuration management (that’s a critical component!), it’s the lack of system level tooling that forces us to overload the configuration tools.
What is system level tooling? It’s integrating automation that expands beyond configuration into managing sequence (aka orchestration), service orientation, script modularity (aka composibility) and multi-platform abstraction (aka hybrid).
My ops automation experience says that these four factors must be solved together because they are interconnected.
|Mono-Infrastructure IT||“Hybrid DevOps”|
|Locked into a single platform||Portable between sites and infrastructures with layered ops abstractions.|
|Limited interop between tools||Adaptive to mix and match best-for-job tools. Use the right scripting for the job at hand and never force migrate working automation.|
|Ad hoc security based on site specifics||Secure using repeatable automated processes. We fail at security when things get too complex change and adapt.|
|Difficult to reuse ops tools||Composable Modules enable Ops Pipelines. We have to be able to interchange parts of our deployments for collaboration and upgrades.|
|Fragile Configuration Management||Service Oriented simplifies API integration. The number of APIs and services is increasing. Configuration management is not sufficient.|
|Big bang: configure then deploy scripting||Orchestrated action is critical because sequence matters. Building a cluster requires sequential (often iterative) operations between nodes in the system. We cannot build robust deployments without ongoing control over order of operations.|
Should we call this “Hybrid Devops?” That sounds so buzz-wordy!
I’ve come to believe that Hybrid DevOps is the right name. More technical descriptions like “composable ops” or “service oriented devops” or “cross-platform orchestration” just don’t capture the real value. All these names fail to capture the portability and multi-system flavor that drives the need for user control of hybrid in multiple dimensions.
Simply put, we need devops without borders!
What do you think? Do you have a better term?
The RackN team did not plan to replace Cobbler, we just needed something that responded to our need for full-cycle cross-platform DevOps automation.
Provisioning an O/S is never enough! You need to coordinate a lot of operational activity to deploy a multi-node system, like OpenStack, Kubernetes, Docker Swarm or Ceph. Since we believe an automated upgrade path is also required, there is a huge gap in provisioning.
So what was needed? Here’s our (rather long!) list of gaps to fill for full Metal DevOps provisioning:
|1||Needs to work with Cobbler!||Improve? Yes. Disrupt? Hell No! It has to be OK to leave Cobbler in place while we do something better. I’d be OK to tweak my Cobber to point it to the new stuff.|
|2||REST API & JSON CLI||Beyond the obvious API, we really want a way to write scripts that drive deployment proactively.|
|3||Modular Components||If I’ve got my own DNS, DHCP, NTP, etc then let me use those instead (see #1 above)|
|4||Control over the discovery image||RAM Discovery images are awesome BUT please let me mess with it too! Inject my keys and let me control when it exits.|
|5||Configure heterogenous RAID, BIOS & IPMI||Servers are a mix of in-band (in the O/S) or out-of-band (BMC) configs. Don’t make me pick, I can’t.|
|6||Inject DevOps scripts dynamically based on system inventory or state||Depending on the node’s role, I want to run a set of scripts AFTER the O/S is installed. And, please let me mix Chef, Puppet, Ansible and Bash. Bash? Especially Bash.|
|7||Portable Scripts between Cloud or Metal||I’m going to practice on VMs and AWS. In fact, my devs only work there. I need high fidelity between my cloud and metal deploys.|
|8||One-click to reset and start over||I don’t care if you want to call this “Metal as a Service.” Deployments are iterative and we need to go faster.|
|9||Don’t require PXE or IP control to add nodes to the system||Beyond #2, I want to get control of servers that don’t PXE or are already provisioned.|
|10||System Inventory including Network topology. Then Push it.||No surprise that we need inventory to make provisioning decisions. Can we make that API available? Maybe push into CMDB?|
|11||Control SSH keys per system, group and deployment||Darn, Security is near the bottom again! Can we please control keys and access from first boot. It should be table stakes.|
|0||AND NEVER HAVE TO TOUCH KICKSTART or PRESEED TEMPLATES||Well, there are times I have to do it (like soft raid for O/S drives), so at least create a template system because Cobbler’s was pretty good.|
We built Digital Rebar to close these gaps and many others (like transparent in operation, working in containers, and failing fast). We think it’s time to bring cloud operational practices into metal. With this type of automation, we can make it happen!
What are your biggest challenges with Metal Ops? Does it match this list? I’ve love to hear your opinion.
Like my previous DefCore interop windmill tilting, this is not something that can be done alone. Open infrastructure is a collaborative effort and I’m looking for your help and support. I believe solving this problem benefits us as an industry and individually as IT professionals.
So, what is open infrastructure? It’s not about running on open source software. It’s about creating platform choice and control. In my experience, that’s what defines open for users (and developers are not users).
I’ve spent several years helping lead OpenStack interoperability (aka DefCore) efforts to ensure that OpenStack cloud APIs are consistent between vendors. I strongly believe that effort is essential to build an ecosystem around the project; however, in talking to enterprise users, I’ve learned that that their real interoperability gap is between that many platforms, AWS, Google, VMware, OpenStack and Metal, that they use everyday.
Instead of focusing inward to one platform, I believe the bigger enterprise need is to address automation across platforms. It is something I’m starting to call hybrid DevOps because it allows users to mix platforms, service APIs and tools.
Open infrastructure in that context is being able to work across platforms without being tied into one platform choice even when that platform is based on open source software. API duplication is not sufficient: the operational characteristics of each platform are different enough that we need a different abstraction approach.
We have to be able to compose automation in a way that tolerates substitution based on infrastructure characteristics. This is required for metal because of variation between hardware vendors and data center networking and services. It is equally essential for cloud because of variation between IaaS capabilities and service delivery models. Basically, those minor differences between clouds create significant challenges in interoperability at the operational level.
Rationalizing APIs does little to address these more structural differences.
The problem is compounded because the differences are not nicely segmented behind abstraction layers. If you work to build and sustain a fully integrated application, you must account for site specific needs throughout your application stack including networking, storage, access and security. I’ve described this as all deployments have 80% of the work common but the remaining 20% is mixed in with the 80% instead of being nicely layers. So, ops is cookie dough not vinaigrette.
Getting past this problem for initial provisioning on a single platform is a false victory. The real need is portable and upgrade-ready automation that can be reused and shared. Critically, we also need to build upon the existing foundations instead of requiring a blank slate. There is openness value in heterogeneous infrastructure so we need to embrace variation and design accordingly.
This is the vision the RackN team has been working towards with open source Digital Rebar project. We now able to showcase workload deployments (Docker, Kubernetes, Ceph, etc) on multiple cloud platforms that also translate to full bare metal deployments. Unlike previous generations of this tooling (some will remember Crowbar), we’ve been careful to avoid injecting external dependencies into the DevOps scripts.
While we’re able to demonstrate a high degree of portability (or fidelity) across multiple platforms, this is just the beginning. We are looking for users and collaborators who want to want to build open infrastructure from an operational perspective.
You are invited to join us in making open cross-platform operations a reality.
The recent discussion about OpenStack API vs Implementation had led to several discussions about “OpenStack Values.” While entertaining, they ultimately show that we have a lot of conflicting desires and opinions about the project. In fact, the term “values” is itself hard to define.
Consequently, I wanted to try to capture what I see as OpenStack’s current values (not my personal ones for the project – those are in the post script). I’ve tried to put everything in positive terms, but value choices always have positive and negative impacts.
|1||Upstreaming||Share code base and community effort||“First in” wins
Latest over stability
Measure value in commits
|2||Vendor’s taking initiative||Broad Participation
Free marketing buzz
|No one wants to say no because of Vendor bias perception|
|3||End-to-end open source||No licenses required for scale users and developers||Build, don’t buy wastes a lot of effort
Does not align with users who want to pay for services
|4||Developer leadership||Lots of code being created||Not many user requirements being considered|
|5||Figuring out API via implementation||Fast iterations||Frustrating APIs
|6||Passionate discussion||Diversity of opinion
Drama attracts attention
Loudest voice wins
Cross culture challenges
|7||Being able to contribute broadly||Generally maintainable platform||Deep skills in subject matters
Best tool for the job
In my experience, if you don’t align with a communities values then you’re going to be very unhappy in the community. I’ve watched this happen to project founders and the community changed around them. Let’s all RAGE QUIT!
So, this makes me reflect on my own open source values. I’d start with pragmatic utility, transparent action, principle driven decisions, iterative design and data driven decisions.
What do you value most in open communities?
At the OpenStack Tokyo summit, I gave a short interview on Deployment Fidelity. I’ve come to see the fidelity problem more broadly as the hybrid DevOps challenge that I described in my 2016 Predictions post as the end of mono-clouds. Thanks Ken Hui from OpenStack Superuser TV for resurfacing this link!