sten spans schuberg philis @sspans (github, etc) · centos == redhat5 or you may have redhat7...
TRANSCRIPT
![Page 1: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/1.jpg)
CUSTOMER
WHO?
Sten Spans
Schuberg Philis
@sspans (github, etc)
![Page 2: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/2.jpg)
CUSTOMER
TOPIC
Going from 100 to 10000 systems
Orchestrating a Zone
Not Google-scale
![Page 3: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/3.jpg)
CUSTOMER
WHY?
New Zone
Rethink principles
Automate
Comments on Centos7/KVM
Conceptual or Technical?
![Page 4: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/4.jpg)
CUSTOMER
WHAT?
![Page 5: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/5.jpg)
CUSTOMER
SUDO MAKE CLOUD
Networking
Hypervisors
Storage
Orchestration
![Page 6: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/6.jpg)
CUSTOMER
TOYS
Source: https://www.flickr.com/photos/rfc1036/406675831/
![Page 7: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/7.jpg)
CUSTOMER
STAFF
![Page 8: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/8.jpg)
CUSTOMER
GOAL
![Page 9: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/9.jpg)
CUSTOMER
GOAL
![Page 10: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/10.jpg)
CUSTOMER
CLOUDY
https://www.flickr.com/photos/versageek/493800514
![Page 11: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/11.jpg)
CUSTOMER
MISTAKES
Artisinal / Pets
Network not Scalable / Redundant
Stretching Failure-domains
Other technical downsides
Lack of Automation
![Page 12: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/12.jpg)
CUSTOMER
WHAT IS ARTISINAL?
People tracking MAC addresses
Tweaking settings for each system
Multiple sources of truth
Validation / Acceptance test
Naming - individual servers
![Page 13: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/13.jpg)
CUSTOMER
NAMING?
Impacts automation
Impacts labeling
Impacts replacements
Go for location-based identities!
![Page 14: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/14.jpg)
CUSTOMER
NETWORKING?
Large layer2 domains
Sharing networks between zones
Manual configuration
Not redundant (enough)?
Or more failures due to redundancy?
![Page 15: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/15.jpg)
CUSTOMER
FAILURE DOMAINS
Do you really want twin-datacenter?
Clustering is complicated…
Way more complicated failures…
Have you actually tested failures?
![Page 16: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/16.jpg)
CUSTOMER
GOAL
Manage zone as one unit
Capture design / logic in config-management
Versioned Iterations
Think about naming
Think about how you identify hosts
Simplify…
![Page 17: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/17.jpg)
CUSTOMER
GOAL
Stop managing individual servers (cattle)
Stop being Artisanal
Start scaling
Start Orchestrating
Think Terraform/CloudFormation/Heat
![Page 18: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/18.jpg)
CUSTOMER
BUILDING BLOCKS
Isolated Networking
Isolated Pods
Worry-free Storage
Optional: Dedicated SDN Clusters
Fully orchestrated zones
![Page 19: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/19.jpg)
CUSTOMER
BOOTSTRAP NETWORK CORE
Core Switches
LoM switch
Hypervisors
SDN?
![Page 20: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/20.jpg)
CUSTOMER
CORE SWITCHES
Linux based
Bootstrap via DHCP/HTTP
Chef/Ansible/Puppet supported!
Capture design in cookbooks/playbooks
Can run additional services
![Page 21: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/21.jpg)
CUSTOMER
SDN
Cluster per (availability) Zone
Failure Domain
Features vs. Lock-in
Complicated? Expensive?
Accept tunnels between zones
Customers will accept trade-offs!
![Page 22: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/22.jpg)
CUSTOMER
BOOTSTRAP A POD
TOR Switch Pair
LoM switch
Hypervisors
Storage
![Page 23: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/23.jpg)
CUSTOMER
TOR SWITCHES
Linux Based
Bootstrap via DHCP/HTTP
Chef/Ansible/Puppet supported!
Capture design in cookbooks/playbooks
Can run DHCP/DNS per Pod
Move pod services into the Pod
![Page 24: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/24.jpg)
CUSTOMER
LOM SWITCHES
Can bootstrap via ToR switch
Config via ToR
Manage iLO’s via DHCP Hooks
Would love a linux box here too
![Page 25: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/25.jpg)
CUSTOMER
HYPERVISORS
Linux Based
Automated Firmware Updates
Bootstrap via DHCP/HTTP
HTTP Bootstrap via Chef
TFTP Proxy on ToR
Location based DHCP (Option 82)
![Page 26: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/26.jpg)
CUSTOMER
HYPERVISOR HARDWARE
Machines are extremely scalable
Calculate cost per VM
Waiting for 25G Ethernet
Has anybody solved EFI PXE? Please?
![Page 27: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/27.jpg)
CUSTOMER
PROVISIONING
Bootstrap via DHCP/HTTP
Nekopan - Golang webserver
Interfaces with Chef
(or ansible/puppet)
![Page 28: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/28.jpg)
CUSTOMER
STORAGE
Stable
NFS – For now…
API Driven
No fancy replication / clustering
![Page 29: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/29.jpg)
CUSTOMER
DONE?
Lets add all of this to cloudstack…
![Page 30: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/30.jpg)
CUSTOMER
CLOUDSTACK
SDN providers need work
cloudstack-setup-agent is … horrible
Routervm/SystemVM
Small networking issues
And I bet there is more…
![Page 31: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/31.jpg)
CUSTOMER
THE HORROR:
![Page 32: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/32.jpg)
CUSTOMER
WHAT IS GOING ON?
All Ubuntu is the same…
Fedora == Redhat 6
Centos == Redhat 5
Or you may have Redhat 7
Really? WTF?
![Page 33: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/33.jpg)
CUSTOMER
RESULTS ON CENTOS 7
Selinux is disabled (revert broken)
Firewall changes don’t work for firewalld
Cgroup changes are not that cool really
Workarounds for old bugs results in breakage on newer systems
So I reinstalled the box
![Page 34: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/34.jpg)
CUSTOMER
CENTOS 7 STATUS
Selinux seems to work
Labeled NFS is still bleeding edge
No need to mess with cgroups
Firewalld is pretty nice really
Cloudstack should perhaps audit the config
But please don’t change it…
![Page 35: Sten Spans Schuberg Philis @sspans (github, etc) · Centos == Redhat5 Or you may have Redhat7 Really? WTF? CUSTOMER RESULTS ON CENTOS 7 Selinux is disabled (revert broken) Firewall](https://reader033.vdocument.in/reader033/viewer/2022050112/5f49e76675a1257bba0dcb07/html5/thumbnails/35.jpg)
CUSTOMER
ROUTERVM
We run ansible to hotfix/manage routervms
But ip / kernel commandline not available on KVM L
Qemu-guest-agent solves that and more…
Libvmi – not sure