Introduction to IBM Cloud Private
This chapter provides an introduction to IBM Cloud Private and related technologies and has the following sections:
|
GitHub materials: If you’d like to follow the code examples in this IBM Redbooks publication, you can download the GitHub repository of this book. See Appendix B, “Additional material” on page 365 for instructions.
|
1.1 IBM Cloud Private overview1
IBM Cloud Private is an application platform for developing and managing containerized applications across hybrid cloud environments, on-premises and public clouds. It is an integrated environment that includes the container orchestrator Kubernetes, a private image registry, a management console, and monitoring frameworks.
IBM Cloud Private is a next-generation, pre-packaged, enterprise-class solution and platform for developing and managing containerized applications. This integrated environment can be deployed behind firewalls, and managed or controlled by whomever the enterprise determines. It is built on Kubernetes.
With a lightweight footprint and powerful platform capabilities, IBM Cloud Private enables enterprises to unleash their developmental creativity, using industry-common technologies and process guidance, in a minimal time frame.
Platform technologies enabling cloud native development include Docker containers and Kubernetes with integrated operations management for security, logging, monitoring and event management. IBM Cloud Private also provides access to necessary application runtimes and data services.
Figure 1-1 shows the IBM Cloud Private capabilities.
Figure 1-1 IBM Cloud Private capabilities
Use cases for IBM Cloud Private include the following situations:
•Create new cloud-native apps.
•Modernize your existing apps on cloud.
•Open your data center to work with cloud services.
See What is IBM Cloud Private for more information.
IBM Cloud Private is differentiated by providing production application services, application runtimes, data and analytics services, messaging services, caching services, plus many more that are necessary for developers to quickly and iteratively innovate based on their enterprise business needs.
This private cloud platform is part of the broader IBM Cloud portfolio and provides choice with consistency across IBM public, private, and dedicated cloud models. IBM Cloud Private delivers a choice of open-source application runtimes, consistent with IBM public cloud offerings: Kubernetes and containers or Cloud Foundry technology.
Your enterprise can choose the prescriptive development approach of Cloud Foundry, or the more customizable and portable approach of Kubernetes and Docker Containers.
Along with the application runtime frameworks, IBM delivers a core set of management services for these frameworks and the applications being developed on top. Some examples of the management services include logging, monitoring, access control, and event management.
Enterprises can use these management tools integrated with the platform and ready to use. These are tools frequently used by enterprise clients today and leverage existing skills. If needed, these tools can be integrated with enterprise instantiations, so that the management needs are operationalized from one location.
One of the most beneficial aspects of the IBM Cloud Private platform is the application services that move innovation from idea to reality. As shown in Figure 1-2, IBM Cloud Private includes services for data, messaging, Java, integration, Blockchain, DevOps, analytics, and others. These services are crucial for enterprise application creation, and with IBM Cloud Private they can be deployed rapidly and ready to accelerate new ideas.
Figure 1-2 IBM Cloud Private components
IBM Cloud Private supports choice in application development with Kubernetes, Cloud Foundry, and function-based programming models. It provides these benefits:
•Containers and orchestration that are based on Kubernetes for creating microservices-based applications.
•A common catalog of enterprise and open services to accelerate developer productivity.
•A choice of compute models for rapid innovation, including Kubernetes and Cloud Foundry.
•Common base services to support the scalable management of microservices, including Istio, monitoring with Prometheus, logging with Elasticsearch, Logstash, and Kibana (ELK).
•Automatic horizontal and non-disruptive vertical scaling of applications.
•Network and storage policy-based controls for application isolation and security.
•Automated application health checking and recovery from failures.
•Support over IaaS infrastructure, including OpenStack and VMware.
•Through the Cloud Automation Manager component, support for Terraform and Chef to allow the orchestration of infrastructure.
1.2 IBM Cloud Private node types
An IBM Cloud Private cluster has the following node types:
•Boot node
•Master node
•Worker node
•Management node
• Proxy node
•VA node
•etcd node
1.2.1 Boot node
A boot or bootstrap node is used for running installation, configuration, node scaling and cluster updates. Only one boot node is required for any cluster. A single node can be used for both master and boot. See Figure 1-3.
|
Note: In the following images, the clusters represent minimal IBM Cloud Private configurations. Actual production configurations can vary.
|
Figure 1-3 Boot node
|
Note: You can use a single boot node for multiple clusters. In such a case, the boot and master cannot be on a single node. Each cluster must have its master node. On the boot node, you must have a separate installation directory for each cluster. If you are providing your own certificate authority (CA) for authentication, you must have a separate CA domain for each cluster.
|
1.2.2 Master node
A master node provides management services and controls the worker nodes in a cluster. Master nodes host processes that are responsible for resource allocation, state maintenance, scheduling, and monitoring. Multiple master nodes are used in a high availability (HA) environment to allow for failover if the leading master host fails.
Hosts that can act as the master are called master candidates. See Figure 1-4.
Figure 1-4 Master node
|
Note: if you do not specify a separate proxy, management, or etcd node, those components are also handled by the master node.
|
1.2.3 Worker node
A worker node is a node that provides a containerized environment for running tasks. As demands increase, more worker nodes can easily be added to the cluster to improve performance and efficiency. A cluster can contain any number of worker nodes, but a minimum of one worker node is required. See Figure 1-5.
Figure 1-5 Worker node
1.2.4 Management node
A management node is an optional node that only hosts management services, such as monitoring, metering, and logging. By configuring dedicated management nodes, you can prevent the master node from becoming overloaded. See Figure 1-6.
Figure 1-6 Management node
1.2.5 Proxy node
A proxy node is a node that transmits external requests to the services created inside the cluster. Multiple proxy nodes are deployed in a high availability (HA) environment to allow for failover if the leading proxy host fails. While a single node is used as both master and proxy, it is best to use dedicated proxy nodes to reduce the load on the master node. A cluster must contain at least one proxy node if load balancing is required inside the cluster. See Figure 1-7 on page 9.
Figure 1-7 Proxy node
1.2.6 VA (Vulnerability Advisor) node
A VA (Vulnerability Advisor) node is an optional node that is used for running the Vulnerability Advisor services. Vulnerability Advisor services are resource intensive. If you use the Vulnerability Advisor service, specify a dedicated VA node. See Figure 1-8.
Figure 1-8 VA node
1.2.7 An etcd node
An etcd node is an optional node that is used for running the etcd distributed key value store. Configuring an etcd node in an IBM Cloud Private cluster that has many nodes, such as 100 or more, helps to improve the etcd performance. See Figure 1-9.
Figure 1-9 etcd node
|
Supported platforms: For the most recent information on supported platforms for each IBM Cloud Private version 3.1.2 node type, see the Supported operating systems and platforms IBM Knowledge Center link.
|
1.3 IBM Cloud Private architecture
The IBM Cloud Private architecture provides container-as-a-service (CaaS) and platform-as-a-service (PaaS) capabilities.
Figure 1-10 on page 11 shows the IBM Private Cloud architecture.
Figure 1-10 IBM Private Cloud architecture2
The architecture provides several benefits, as shown in Figure 1-10:
•Container orchestration, which is at the core of the architecture; this layer provides cluster management, security capabilities, image repositories, routing services and microservices mesh.
•A PaaS layer, which can enhance a container environment by providing higher-level runtimes and service bindings that allow for an easier development experience.
•The CaaS and PaaS layer, which sit over an infrastructure layer that provides compute through virtual machines, network, storage and security.
•Automation and orchestration for the underlying infrastructure, allowing for an infrastructure-neutral software-defined data center; infrastructure automation can provide predefined infrastructure templates to create repeatable patterns.
•A private cloud platform provides monitoring for container-based applications to provide logging, dashboards and automation; it supports network and storage policy-based controls for application isolation and security, and automated application health checking and recovery from failures.
•The ability to run containerized workloads for several patterns, such as cloud-native, data workloads, integration workloads, tooling workloads and some middleware, such as Java Application Server.
•A developer catalog of workloads that you can provision over containers to automate the developer experience.
The private cloud architecture is supported by IBM Cloud Private, as shown in Figure 1-11. By supporting Kubernetes and Cloud Foundry, IBM Cloud Private provides choice in application development. You get a wealth of content that can be containerized, tools for end-to-end automation, and management tools.
Figure 1-11 IBM Private Cloud architecture with product names3
For more information about the IBM Cloud Private architecture, visit the following IBM Cloud Architecture link: https://www.ibm.com/cloud/garage/architectures/private-cloud/reference-architecture
1.4 IBM Cloud Private features and benefits
The following sections describe the major features in IBM Cloud Private.
1.4.1 A unified installer
Rapidly set up a Kubernetes based cluster that contains master, worker, proxy, and optional management and Vulnerability Advisor nodes by using an Ansible based installer. This Ansible based installer is fast and simple to use. Run a few simple commands from a single boot node, and your cluster is up and running in a few minutes.
See Chapter 2, “High availability installation” on page 31 for details on installing IBM Cloud Private.
1.4.2 Robust logging with ELK stack
Logs are critical for debugging and post-mortem in production failures. Twelve-factor applications break down into many microservices, which increases the number of logs across the containers you need to debug. IBM Cloud Private uses the ELK (Elasticsearch, Logstash, Kibana) stack and Filebeat for monitoring and logging.
This process provides a centralized store for all logs and metrics, better performance, and increased stability when you access and query logs and metrics. You can use the results from these queries to produce insightful graphs and reports: that is the dashboard part.
See Chapter 5, “Logging and monitoring” on page 153 for more information on the ELK stack.
1.4.3 Monitoring and alerts
Every container must have its health monitored. Basic liveness probes in Kubernetes ensure failed pods are restarted.
IBM Cloud Private configures custom Prometheus collectors for custom metrics. Custom metrics help provide insights and building blocks for customer alerts and custom dashboards. IBM Cloud Private uses a Prometheus and Grafana stack for system monitoring.
See Chapter 5, “Logging and monitoring” on page 153 for more information on monitoring and alerts in IBM Cloud Private.
1.4.4 Metering
Every container must be managed for license usage. You can use the metering service to view and download detailed usage metrics for your applications and cluster. Fine-grained measurements are visible through the metering UI and the data is kept for up to three months. Monthly summary reports are also available for you to download and are kept for up to 24 months.
1.4.5 Identify and access
IBM Cloud Private introduces the concept of teams on top of raw Kubernetes roles and cluster roles. Teams bind a collection of resources, both inside and outside of Kubernetes, to a set of users with defined roles. The team model is based on the access control model from IBM UrbanCode Deploy.
See Chapter 6, “Security” on page 237 for more information on this topic.
1.4.6 Security
IBM Cloud Private ensures data in transit and data at rest security for all platform services. All services expose network endpoints via TLS and store data which is encrypted at rest. You need to configure IPsec and dm-crypt in order to accomplish that.
All services must provide audit logs for actions performed, when they were performed, and who performed the action. The security model ensures consistent audit trails for all platform services and compliance across all middleware.
See Chapter 6, “Security” on page 237 for details on managing security in IBM Cloud Private.
1.4.7 IBM Vulnerability Advisor
Vulnerability Advisor checks the security status of container images that are provided by IBM, third parties, or added to your organization’s registry namespace. If the Container Scanner is installed in each cluster, Vulnerability Advisor also checks the status of containers that are running.
When you add an image to a namespace, the image is automatically scanned by Vulnerability Advisor to detect security issues and potential vulnerabilities. If security issues are found, instructions are provided to help fix the reported vulnerability.
Vulnerability Advisor provides security management for IBM Cloud Container Registry, generating a security status report that includes suggested fixes and best practices.
Any issues that are found by Vulnerability Advisor result in a verdict that indicates that it is not advisable to deploy this image. If you choose to deploy the image, any containers that are deployed from the image include known issues that might be used to attack or otherwise compromise the container. The verdict is adjusted based on any exemptions that you specified. This verdict can be used by Container Image Security Enforcement to prevent the deployment of nonsecure images in IBM Cloud Kubernetes Service.
Fixing the security and configuration issues that are reported by Vulnerability Advisor can help you to secure your IBM Cloud infrastructure.
1.4.8 IBM Cloud Automation Manager
IBM Cloud Automation Manager (CAM) is a multi-cloud, self-service management platform running on IBM Cloud Private that empowers developers and administrators to meet business demands. This platform allows to efficiently manage and deliver services through end-to-end automation while enabling developers to build applications aligned with enterprise policies.
IBM Cloud Private with Cloud Automation Manager provides choice and flexibility for multiple IT across the organization to build and deliver applications and application environments into production more quickly, with greater consistency and control.
With IBM Cloud Private, developers can get up and running quickly with a lightweight development environment optimized for delivering Docker containerized applications with an integrated DevOps toolchain.
With Cloud Automation Manager, IT infrastructure managers can help provision and maintain cloud infrastructure and traditional VM application environments with a consistent operational experience across multiple clouds.
With the Cloud Automation Manager Service Composer, IT service managers can graphically compose complex cloud services that can be consumed as a service from a DevOps toolchain or delivered in a cloud service catalog.
With a large and growing catalog of pre-built automation content for popular open source and IBM middleware, built to best practices, developers and IT architects can get productive fast.
The main capabilities are:
•Accelerate innovation: it helps to provision into multi-cloud environments through a self-service catalog. it easily integrates with existing processes and tools through automated workflow capabilities.
•Multi-cloud operations: it consistently manage and govern across all of your cloud environments.
•Open source technology: it simplifies your multi-cloud provisioning by utilizing open source and industry standards such as Terraform. you can reuse your existing skills and Chef scripts and avoid vendor lock-in.
•Integration with your existing data center: It allows to use your existing tools (IBM Cloud Brokerage, IBM DevOps, IT management, etc.) to extend IBM Cloud Automation Manager capabilities.
•Infrastructure as code: Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
See the following link for more information on IBM Cloud Automation Manager:
1.4.9 IBM Cloud Transformation Advisor
The Transformation Advisor is an interactive analyzer tool for modernizing monolith Java/J2EE workloads of an enterprise. IBM Transformation Advisor scans the application artefact for its compatibility on IBM Cloud Private and produces a report. It highlights code correction if needed, to make the code compatible to run on IBM Cloud Private. Apart from traditional WebSphere Application Server applications, it also supports other competitor server runtime application for the compatibility to be ported on IBM Cloud Private.
The scan report highlights any gaps and efforts needed to make the application cloud ready for deployment.The result of the Application Binary scan also provides the deployment YAML, docker file for containerizing the application and a liberty server.xml file. If an application is fully compliant and does not requires any changes, then it can be directly deployed to an IBM Cloud Private thorough Transformation Advisor console itself for testing.
Benefits:
•Included and deployed on IBM Cloud Private
•Introspects applications running on most popular runtime environments
•Spits out effort estimates for application modernization for the workload
•Deploy application to a target IBM Cloud Private environment if the application is fully compliant.
•Provides recommendations for application modernization
Figure 1-12 on page 16 shows the IBM Cloud Transformation Advisor. See the following link for more information on IBM Cloud Transformation Advisor:
Figure 1-12 IBM Cloud Transformation Advisor
1.4.10 IBM Microclimate
Microclimate provides an end-to-end, cloud-native solution for creating, building, testing and deploying applications. The solution offers services and tools to help you create and modernize applications in one seamless experience. It covers each step of the process from writing and testing code to building and deployment. The solution enables containerized development, rapid iteration with real-time performance insights, intelligent feedback, diagnostic services, an integrated DevOps pipeline and deployment to the cloud.
You can see the IIBM Cloud Private Application Developer's Guide, SG24-8441 IBM Redbooks for detailed information on IBM Microclimate installation and configuration and how to use it in a sample scenario.
1.4.11 IBM Cloud Private management console
Manage, monitor, and troubleshoot your applications and cluster from a single, centralized, and secure management console.
Figure 1-13 on page 17 shows the IBM Cloud Private management console.
Figure 1-13 IBM Cloud Private management console
1.4.12 Kubernetes
To run a container in production, Kubernetes brings orchestration primitives to support different styles of workloads:
•Stateless ReplicaSets
•Stateful StatefulSets
•Batch Jobs
•System DaemonSets
1.4.13 Private Docker image registry
The Private Docker registry integrates with the Docker registry V2 API to provide a local registry service that functions in the same way as the cloud-based registry service, Docker Hub. This local registry has all the same features as Docker Hub, but you can also restrict which users can view or pull images from this registry.
1.4.14 Helm with enhanced security controls
Helm, the Kubernetes native package management system, is used for application management inside an IBM Cloud Private cluster. The Helm GitHub community curates and continuously expands a set of tested and preconfigured Kubernetes applications. You can add items from this catalog of stable applications to your cluster from the management console. Installing this Helm community catalog provides an extra 80+ Kubernetes applications that are ready for deployment in your cluster.
Helm charts describe even the most complex applications; provide repeatable application installation, and serve as a single point of authority. Helm charts are easy to update with in-place upgrades and custom hooks. Charts are also easy to version, share, and host on public or private servers. You can use helm rollback to roll back to an older version of a release with ease. See 1.5, “Helm” on page 19 for more information on Helm components. Also you can see the IIBM Cloud Private Application Developer's Guide, SG24-8441 IBM Redbooks on how Helm is used for application management.
1.4.15 Catalog
IBM Cloud Private provides an easy to use, extend, and compose catalog of IBM and third-party content. The following are some key concepts:
•Charts: A bundle of Kubernetes resources
•Repository: A collection of charts
•Releases: A chart instance loaded into Kubernetes. The same chart can be deployed several times and each becomes its own release
The catalog provides a centralized location from which you can browse for and install packages in your cluster
Packages for additional IBM products are available from curated repositories that are included in the default IBM Cloud Private repository list. Your environment must be connected to the internet for you to access the charts for these packages. To view a list of all the IBM Cloud.
Figure 1-14 shows the IBM Cloud Private catalog.
Figure 1-14 IBM Cloud Private catalog
1.4.16 Kubernetes Service Catalog for managing service brokers
IBM Cloud Private supports the Kubernetes Service Catalog. You can configure the service broker applications to manage the Service Catalog resources and details.
The Service Catalog component adds the following Kubernetes resources:
•ClusterServiceBrokers
•ClusterServiceClasses
•ClusterServicePlans
•ServiceInstances
•ServiceBindings
The service broker is a component that implements the service broker API to view the available services and plans, create an instance from the available services and plans, and create bindings to connect to the service instance.
1.5 Helm
Helm is a package manager. Package managers automate the process of installing, configuring, upgrading, and removing applications on a Kubernetes cluster.
An application in Kubernetes typically consists of at least two resource types: a deployment resource, which describes a set of pods to be deployed together, and a services resource, which defines endpoints for accessing the APIs in those pods. The application can also include ConfigMaps, Secrets, and Ingress.
For any application deployment, several Kubernetes commands (kubectl) are needed to create and configure resources. Instead of manually creating each application dependency resource separately, Helm creates many resources with one command. A Helm chart defines several Kubernetes resources as a set in a YAML file. A default chart contains a minimum of a deployment template and a service template.
1.5.1 Helm components and terminology
Helm has two elements. A client (Helm) and a server (Tiller). The server element runs inside a Kubernetes cluster and manages the installation of the charts. Figure 1-15 on page 20 shows how Helm components are related to each other.
Figure 1-15 Helm components
•Helm: A command-line interface (CLI) that installs charts into Kubernetes, creating a release for each installation. To find new charts, search Helm chart repositories.
•Chart: An application package that contains templates for a set of resources that are necessary to run the application. A template uses variables that are substituted with values when the manifest is created. The chart includes a values file that describes how to configure the resources.
•Repository: Storage for Helm charts. The namespace of the hub for official charts is stable.
•Release: An instance of a chart that is running in a Kubernetes cluster. You can install the same chart multiple times to create many releases.
•Tiller: The Helm server-side templating engine, which runs in a pod in a Kubernetes cluster. Tiller processes a chart to generate Kubernetes resource manifests, which are YAML-formatted files that describe a resource. YAML is a human-readable structured data format. Tiller then installs the release into the cluster. Tiller stores each release as a Kubernetes ConfigMap.
1.5.2 Why you should use Helm
Helm charts describe even the most complex applications, provide repeatable application installation and are easy to share, version and publish.
With Helm, configuration settings are kept separate from the manifest formats. You can edit the configuration values without changing the rest of the manifest. Configuration settings are in a values.yaml file. You update the runtime parameters in that file to deploy each application instance differently. A single command used to install, upgrade and deleting releases as represented below in Figure 1-16 for lifecyle of a release.
Figure 1-16 Release lifecycle using Helm
1.6 IBM Multicloud Manager
IBM Multicloud Manager is the single dashboard that lets your enterprise oversee multiple Kubernetes clusters wherever they are—public cloud or private.
Working with more than one or two clouds means you can pick the best providers and services across clouds, geographies and functions for specific needs. This helps potentially lower costs, increase performance and solidify governance.
Multicloud enterprises rely on private clouds for better data center performance and availability. They depend on public clouds to be more competitive, get to market faster and build new capabilities like analytics and artificial intelligence.
But successfully developing and deploying these new capabilities means that the average multicloud enterprise uses six or more clouds and hundreds of Kubernetes clusters. This creates a complex, error-prone environment that’s expensive and time-consuming to manage. IBM Multicloud Manager supports enterprises to manage resources across clouds and helping decreasing compliance risks and reduce cost.
1.7 IBM Cloud Paks
One key technology contributing to the ability to run software components more efficiently, with improved lifecycle management, scalability and resilience, is known as containerization. IBM delivers Kubernetes as part of its IBM Cloud Private offering as well as in its IBM Cloud Kubernetes Service. IBM is committed to containerization across its enterprise software portfolio.
While still supporting traditional packaging and deployment models (installing software as usual on a supported operating system), an increasing number of products are available as container images. As mentioned, deploying containerized software in a manner suitable for production requires more than an image.
IBM Cloud Paks provide enterprise software container images that are pre-packaged in production-ready configurations that can be quickly and easily deployed to IBM’s container platforms, with support for resiliency, scalability, and integration with core platform services, like monitoring or identity management. For customers who don’t want to operate the software and its underlying infrastructure, in containers or otherwise, IBM also makes many of its products available as-a-Service, where they are hosted and maintained by IBM in its public cloud.
Figure 1-17 shows the three ways IBM software is delivered and consumed as containers. Not all IBM products are available in all three delivery models.
Figure 1-17 IBM software as containers
IBM Cloud Paks use Helm charts to describe how IBM software should be deployed in a Kubernetes environment. These resource definitions can be easily customized during deployment, and upgrades can be easily rolled out or rolled back using the management interfaces provided by IBM Cloud Private or IBM Cloud Kubernetes Service.
An IBM Cloud Pak is more than a simple Helm chart. IBM Cloud Paks accelerate time to value and improve enterprise readiness at lower cost than containers alone.
IBM Cloud Pak is a collection of assets for container native applications, many based on open technologies. IBM Cloud Pak delivers higher value than containers alone. Certified IBM Cloud Pak are enterprise ready out of the box.
IBM Cloud Paks are identified in the Catalog by one of two badges with the entry. An entry with an IBM Cloud Pak badge meets the criteria for that badge. An entry that displays a Certified IBM Cloud Pak badge indicates that it meets the requirements of the Certified IBM Cloud Pak badge, which are more stringent than what is required for the IBM Cloud Pak badge.
IBM Cloud Paks can be created by IBM or 3rd party software solutions that are offered by IBM Partners. Figure 1-18 shows the comparison between IBM Cloud Pak and Certified IBM Cloud Pak.
Figure 1-18 Comparison between IBM Cloud Pak and Certified IBM Cloud Pak
For more information visit the IBM Knowledge Center link https://www.ibm.com/support/knowledgecenter/en/SSBS6K_3.1.2/app_center/cloud_paks_over.html.
1.8 IBM Cloud Private Editions
The following are the IBM Cloud Private Editions:
•IBM Cloud Private delivers a customer-managed container solution for enterprises. It is also in a community edition, IBM Cloud Private-Community Edition, which provides a limited offering that is available at no charge and is ideal for test environments.
•IBM Cloud Private Cloud Native Edition is licensed and provides an high availability topology for an enterprise production runtime. Cloud Automation Manager, Vulnerability Advisor is also packaged as part of Cloud Native edition.
•IBM Cloud Private Enterprise Edition has all the offerings of IBM Cloud Private Native Edition plus IBM WebSphere Application Server Network Deployment MQ Advanced, APIConnect.
Figure 1-19 shows the IBM Cloud Private Editions.
Figure 1-19 IBM Cloud Private Editions
|
IBM Cloud Private for Data: In addition to these IBM Cloud Private Editions, there is another related product called IBM Cloud Private for Data. This product is a native cloud solution that enables you to put your data to work quickly and efficiently. It lets you do both by enabling you to connect to your data (no matter where it lives), govern it, find it, and use it for analysis. IBM Cloud Private for Data also enables all of your data users to collaborate from a single, unified interface, so your IT department doesn’t need to deploy and connect multiple applications.
We will not discuss this product in this document. You can see the product page at https://www.ibm.com/analytics/cloud-private-for-data for more information.
|
1.9 Persistent volumes
Persistent volume is a storage resource within the cluster. Persistent volumes have a lifecycle independent of any individual pod that uses it. This API object encapsulates the details of the storage implementation or cloud-provider-specific storage system, as shown in Figure 1-20 on page 25.
A persistent volume claim is a storage request, or claim, made by the developer. Claims request specific sizes of storage, as well as other aspects such as access modes.
A StorageClass describes an offering of storage and allow for the dynamically provisioning of PVs and PVCs based upon these controlled definitions.
Figure 1-20 Persistent volumes
1.9.1 Volume and claim lifecycle
The Reclaim policy informs the cluster what to do with the volume after it has been released from its claim
Retain allows for the manual reclamation of the storage asset. The PVC is deleted but the PV remains.
Delete reclaim policy removes both the objects from within the cluster, as well as the associated storage asset from the external infrastructure.
Recycle has been deprecated and should no longer be used.
Access Modes define how volumes can be mounted in the manner supported by the storage provider
•ReadWriteOnce (RWO) can be mounted as read-write by a single node and pod
•ReadOnlyMany (ROX) can be mounted read-only by many nodes and pods
•ReadWriteMany (RWX) can be mounted as read-write by many nodes and pods
|
Note: Reclaim policy and Access Modes may be defined differently by each storage provider implementation.
|
1.9.2 IBM Cloud Private Storage providers
Kubernetes and IBM Cloud Private offer many options for managing persistent storage within the cluster. IBM Cloud Private features the following:
•GlusterFS enterprise grade of storage to K8s pods offering ease of configuration, scaling, encryption support, replication, striping and dynamic provisioning.
•vSphere Cloud Provider (vSphereVolume Plug-in) gives access to enterprise grade storage (vSAN, VMFS, vVol) that is native to and already supported by the VMware infrastructure.
•IBM Spectrum Scale for solutions not hosted in VMware provides direct access to IBM block storage via dynamic provisioning.
•NFS provides a versatile and easy to use method of getting persistent storage to pods that is already available in most customer environments.
•HostPath is ideal for testing persistence in non-production environments.
•Ceph (Rook) is an industry proven option that can provide several storage options along with persistent volumes for Kubernetes.
See Chapter 4, “Managing persistence in IBM Cloud Private” on page 115 for more information on managing storage in IBM Cloud Private.
1.10 IBM Cloud Private terms
The following IBM Cloud Private terms are used throughout this book. Table 1-1 shows the definition of these terms.
Table 1-1 IBM Cloud Private terms
|
IBM Cloud Private term
|
Definition
|
|
airgap environment
|
A network environment that does not have internet access.
|
|
API key
|
A unique code that is passed to an API to identify the calling application or user. An API key is used to track and control how the API is being used, for example, to prevent malicious use or abuse of the API.
|
|
application log (applog)
|
A log that is produced from applications that are deployed in the Cloud Foundry environment.
|
|
application
|
One or more computer programs or software components that provide a function in direct support of a specific business process or processes.
|
|
audit log
|
A log file containing a record of system events and responses.
|
|
Availability Zone
|
An operator-assigned, functionally independent segment of network infrastructure.
|
|
boot node
|
A node that is used for running installation, configuration, node scaling, and cluster updates.
|
|
buildpack
|
A collection of scripts that provide framework and runtime support for apps.
|
|
catalog
|
A centralized location that can be used to browse for and install packages in a cluster.
|
|
Cloud Foundry deployment tool
|
The user interface that is used to manage the deployment of Cloud Foundry.
|
|
cluster
|
A set of resources, worker nodes, networks, and storage devices that keep apps highly available and ready to deploy in containers.
|
|
container image
|
In Docker, standalone, executable software, including code and system tools, that can be used to run an application.
|
|
container
|
A system construct that allows users to simultaneously run separate logical operating system instances. Containers use layers of file systems to minimize image sizes and promote reuse.
|
|
deployment
|
A process that retrieves the output of a build, packages the output with configuration properties, and installs the package in a pre-defined location so that it can be tested or run.
|
|
Docker
|
An open platform that developers and system administrators can use to build, ship, and run distributed applications.
|
|
ELK stack
|
The three products, Elasticsearch, Logstash, and Kibana, that comprise a stack of tools that stream, store, search, and monitor data, including logs.
|
|
endpoint
|
A network destination address that is exposed by Kubernetes resources, such as services and ingresses.
|
|
extension
|
A package that contains a deployment process and its required scripts and files.
|
|
fault tolerance
|
The ability of a system to continue to operate effectively after the failure of a component part.
|
|
Helm chart
|
A Helm package that contains information for installing a set of Kubernetes resources into a Kubernetes cluster.
|
|
Helm release
|
An instance of a Helm chart that runs in a Kubernetes cluster.
|
|
Helm repository
|
A collection of charts.
|
|
high availability
|
The ability of IT services to withstand all outages and continue providing processing capability according to some predefined service level. Covered outages include both planned events, such as maintenance and backups, and unplanned events, such as software failures, hardware failures, power failures, and disasters.
|
|
image manager
|
A centralized location for managing images inside a cluster.
|
|
image
|
A file system and its execution parameters that are used within a container runtime to create a container. The file system consists of a series of layers, combined at runtime, that are created as the image is built by successive updates. The image does not retain state as the container executes.
|
|
inception container
|
See “installer container.”
|
|
ingress
|
A collection of rules to allow inbound connections to the Kubernetes cluster services.
|
|
installer container
|
The Docker container that runs the configuration manager and the Cloud Foundry deployment tool.
|
|
isolation segment
|
A division that can be used to separate applications as if they were in different deployments without the need for redundant management and network complexity.
|
|
isolation
|
The process of confining workload deployments to dedicated virtual and physical resources to achieve multi-tenancy support.
|
|
Kubernetes
|
An open-source orchestration tool for containers.
|
|
layer
|
A changed version of a parent image. Images consist of layers, where the changed version is layered on top of the parent image to create the new image.
|
|
load balancer
|
Software or hardware that distributes workload across a set of servers to ensure that servers are not overloaded. The load balancer also directs users to another server if the initial server fails.
|
|
machine type
|
A configuration that is used to instantiate a virtual machine.
|
|
management console
|
The graphical user interface for IBM Cloud Private.
|
|
management logging service
|
An ELK stack that is used to collect and store all Docker-captured logs.
|
|
management node
|
An optional node that only hosts management services such as monitoring, metering, and logging and can be used to prevent the master node from becoming overloaded.
|
|
marketplace
|
A list of enabled services from which users can provision resources.
|
|
master node
|
A node that provides management services and controls the worker nodes in a cluster. Master nodes host processes that are responsible for resource allocation, state maintenance, scheduling, and monitoring.
|
|
mesh
|
A network topology in which devices are connected with many redundant interconnections between network nodes. Every node has a connection to every other node in the network.
|
|
microclimate
|
An end-to-end, cloud-native solution for creating, building, testing, and deploying applications.
|
|
microservice
|
A set of small, independent architectural components, each with a single purpose, that communicate over a common lightweight API.
|
|
multicloud
|
A cloud computing model in which an enterprise uses a combination of on-premises, private cloud, and public cloud architecture.
|
|
Network File System
|
A protocol that allows a computer to access files over a network as if they were on its local disks.
|
|
organization (org)
|
In Cloud Foundry, the top-most meta object within the infrastructure that is managed by an account with administrative privileges.
|
|
persistent volume claim
|
A request for cluster storage.
|
|
persistent volume
|
Networked storage in a cluster that is provisioned by an administrator.
|
|
placement policy
|
A policy that defines where the application components should be deployed and how many replicas there should be.
|
|
Pod Security Policy
|
A policy that is used to set up cluster-level control over what a pod can do or what it can access.
|
|
pod
|
A group of containers that are running on a Kubernetes cluster. A pod is a runnable unit of work, which can be a either a stand-alone application or a microservice.
|
|
proxy node
|
A node that transmits external requests to the services that are created inside a cluster.
|
|
registry
|
A public or private container image storage and distribution service.
|
|
repository
|
A persistent storage area for data and other application resources.
|
|
resource
|
A physical or logical component that can be provisioned or reserved for an application or service instance. Examples of resources include database, accounts, and processor, memory, and storage limits.
|
|
role-based access control
|
The process of restricting integral components of a system based on user authentication, roles, and permissions.
|
|
service broker
|
A component of a service that implements a catalog of offerings and service plans, and interprets calls for provisioning and deprovisioning, binding and unbinding.
|
|
storage node
|
A node that is used to provide the backend storage and file system to store the data in a system.
|
|
system log (syslog)
|
A log that is produced by Cloud Foundry components.
|
|
taint
|
To mark a particular input, such as a variable, as being unsafe in order to subject it to security checking.
|
|
team
|
An entity that groups users and resources.
|
|
vCPU
|
A virtual core that is assigned to a virtual machine or a physical processor core if the server isn’t partitioned for virtual machines.
|
|
Virtual Machine File System (VMFS)
|
A cluster file system that allows virtualization to scale beyond a single node for multiple VMware ESX servers.
|
|
virtual storage area network (VSAN)
|
A fabric within the storage area network (SAN).
|
|
worker node
|
In a cluster, a physical or virtual machine that carries the deployments and services that make up an app.
|
|
workload
|
A collection of virtual servers that perform a customer-defined collective purpose. A workload generally can be viewed as a multitiered application. Each workload is associated with a set of policies that define performance and energy consumption goals.
|
1 Parts of this section are based on the whitepaper “IBM Cloud Private: The cloud-native application platform for the enterprises” written by Raffaele Stifani (Executive Architect - Software Group) from IBM Italy.
2 Image taken from IBM Cloud Architecture Center https://www.ibm.com/cloud/garage/architectures/private-cloud/reference-architecture
3 Image taken from IBM Cloud Architecture Center https://www.ibm.com/cloud/garage/architectures/private-cloud/reference-architecture
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.