Saturday, 19 January 2019

Purposed Model of Continuous Integration & Continuous Delivery & Deployment

Continuous Integration & Delivery: From Dev Team Perspective

  •   Step1: Developer starts working on a code fix/enhancement.




  1. Developer commits code to development branch
  2. Build process get kicked off along with unit tests are executed.
  3. Result of Step 2 is a docker image.
  4. Container image gets uploaded to container registry such as GCR (google cloud registry).
  5. This latest image needs to be deployed on Dev env.. This can be done with Kubernetes engine by following:
    1. Manually - Update the pod configuration.yaml file with the latest docker version.This will create a new POD with latest image.
    2. Automation - Write a serverless function which will have a cronjob polling the container registry to check for latest image. If found will update the pod config & result will be a new POD with latest image.
  6. Perform tests on dev env. deployed with latest image.
    1. Here integration tests can be triggered manually or by automated way (using jenkins/spiannker).
    2. As well as perform manual tests

Step 2 - Developer find an issue while testing the code fix (performed in Step 1)




  1. Developer finds an issue while testing the image generated in Step 1.
    1. Might be the integration tests got failed. Or,
    2. Issues with image deployment. Or,
    3. Issue caught while manual testing.
    4. Etc.
  2. Fix the code again, & commits code in dev branch.
  3. Build gets triggered, unit tests are performed. And a new image gets generated.
  4. This image gets uploaded on container registry.
  5. New image having code fix needs to be deployed in dev. env.
  6. Developer retest the code fixes, 

Step 3 - Testing Completed, now merge the changes in master branch

  1. Now its time to commit the code in master branch. As all tests are passed with recent fix made.
  2. Same steps will be followed as described above.
  3. Just one change will be here that the container registry will now have a public release.
    1. Initially it was for testing purpose & scope of that image was internal use only.
    2. Now as the changes are finalized, it has to be available for public use.
    3. Public use may or may not be be restricted as per the management decision.

Continuous Deployment:

  • With continuous deployment - comes continuous challenges of;
    • How an update is rolled out?
    • Does this update needs to be rolled out completely or partially? This brings the concept of Canary Deployment.
    • How to switch the traffic from old version to new version? This will bring in the Blue-Green Deployment.
  • Below is the basic possible deployment flowchart, briefly describing how the update rollout happens?


  1. 5(a) Container image is now ready to be deployed to canary deployment.
  2. Container image promoted to canary.
  3. Once a set of users verify that latest deployment on canary is working fine, it needs to be deployed on production.
  4. Container image promoted to production.
Further Info:
References:

Enjoy :-)

Understanding Updates Rollout in Continuous Deployment

As we discussed in the << Purposed Model of continuous integration & deployment >> post about the process that how a developer performs code change/fix, how it gets propagated to the pipeline, how this become part of delivery & deployment.
In continuation to that there arises a point of how an update is rolled out, what are the possible ways to do that & how that can be benefited?

Let's start the journey with a possible deployment architecture explaining that how an update is rolled out:

Note: Here in this deployment example we will consider a replica set of 3 identical pods having same image i.e. "hello1".
  • An update of new image is available from the container registry, this needs to be rolled out in the deployment.

  • Now we have a new updated image say "hello2". In this case we will tell our kubernetes master to create a second replica set that will have containers with image "hello2".


  • You will notice that with creation of 2nd replica set the service pointing to replica set (1) will gradually start pointing to replica set (2) pods.


  • First replica set pods will start decreasing & second replica set pods will increase.



Note: At most in this deployment we will have 4 pods at a time & at least 3 pods.




  • Finally you will observe all 3 pods of replica set (2) are created & you are left with last POD of replica set (1) that too will be vanished soon.

  • Finally the new image version is rolled out



References:

Enjoy :-)

Details about Canary Deployment

About Canary Deployment:

  • Definition: Canary deployments are a pattern for rolling out releases to a subset of users or servers. The idea is to first deploy the change to a small subset of servers, test it, and then roll the change out to the rest of the servers
  • This means when i have to deploy an update in production, i can do this by canary way. This will allow me to deploy the change in production but only to a subset of servers. So by this way we subset of users can test the new update & report if any issue occurs. If all goes well than the update can be rolled out completely.




How to switch the traffic to from old version to new version?

This can be made possible with blue-green deployment. More info Understanding blue-green deployment.

References:
Enjoy :-)

Friday, 18 January 2019

Error: The authentication scheme protecting the resource sets 'Secure' OAMAuthnCookie/ObSSOCookie, but the resource is not being accessed via secure http

Error Statement:

If the authentication scheme is configured to set "Secure" OAMAuthnCookie/ObSSOCookie and the user is accessing an insecure resource, the browser may enter an authentication browser loop. Show an error i.e.:

"The authentication scheme protecting the resource sets 'Secure' OAMAuthnCookie/ObSSOCookie, but the resource is not being accessed via secure http."


Workaround:

In authentication scheme, remove the following parameter & save the changes;

Syntax for 11g Webgate and OAMAuthnCookieSyntax for 10g Webgate and ObSSOCookie
ssoCookie=Secure
ssoCookie:Secure

Make sure changes are applied properly, as in the policy sync-up at OAM server happens successfully. 
You may restart the server instance (ohs/apache/iis etc) or you can wait for webgate cache clean. Try accessing the protected resource once again, you should be prompted for login.

Resolution:

Recheck you SSL settings at WebServer end.

References:



Enjoy :-)



Wednesday, 5 July 2017

Increase docker pool size by changing storage driver

Configure Docker with the devicemapper storage driver

NOTE: This is for Docker CE & Docker EE

Issue:

By default you will notice that docker storage device is "brtfs" i.e. default storage, which is limited to 20GB of data storage.

default storage driver

Usually you will find this storage as too limited to use. As most of the times we have to install multiple images that too of high storage like 4/8/10GB. And with this default storage you will be end up getting frustrated.

Solution:

Configure Docker with "devicemapper" storage driver.

How to do this:

1) Stop Docker
$ sudo systemctl stop docker 

2) Edit /etc/docker/daemon.json. If it does not yet exist, create it. Assuming that the file was empty, add the following contents.
{
  "storage-driver": "devicemapper"
}
Note: Docker will not start if the daemon.json file contains badly-formed JSON

3) Start Docker
$ sudo systemctl start docker

4) Verify that the daemon is using the devicemapper storage driver. Use the docker info command and look for Storage Driver
devicemapper storage driver

Note: This host is running in loop-lvm node, which is not supported on production systems. This is indicated by the fact that the Data loop file and a Metadata loop file are on files under /var/lib/docker/devicemapper/devicemapper.


Hope this helps :-)
Enjoy :-)

Monday, 3 July 2017

Enable SSL in between OHS & Outbound Applications

Enabling SSL in between OHS & OutBound Applications

Prerequisites:
  1. OHS SSL is enabled.
  2. Outbound App SSL is enabled like OAM, Weblogic, OIM etc.
What we are aiming is to setup SSL in b/w OHS & outbound apps

Eg: Consider you want to proxy your OAM server via OHS as a load balancer/proxy call it any. This is a very normal usecase where you have your OAM servers sitting in your data-center & you don't want it's hostname/IP to be exposed. So what you usually do is proxy OAM via OHS.
  • Consider your OHS server name is https://abc.com. So if admin needs to access the oamconsole. Admin will fire the url as https://abc.com/oamconsole
  • To enable this usecase, /oamconsole is to be added in ssl.conf/mod_wl_ohs.conf file(usual way).
  • But the catch is that our OHS & OAM are in SSL mode.
  • This means that they will do handshake before starting to talk to each other.
  • As we all know that while doing handshake, server sends its user certificate, now this cert is verified by client i.e. here mod_wl_proxy of OHS. So the wallet used by it has to have the trusted certificate entry in it.

Steps you need to follow for this are as;

  • Import the certificate used by Outbound app such as Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate.
    • To add trusted certificate you can use orapki utility or any of your choice.
    • <MW_HOME>/oracle_common/bin/orapki wallet add -wallet ./ -trusted_cert -cert cacert.pem -auto_login_only 
    • Note: './' is used as we consider that you are running this command from the directory where your cwallet.sso is present. You can substitute it with directory path of cwallet.sso as well.
  •  Now you need to add 2 tags in ssl.conf or mod_wl_proxy.conf:
    • SecureProxy On
      WlSSLWallet "<wallet location>" 

Complete Eg:

<Location /console>
SetHandler weblogic-handler
WebLogicHost xyz.us.domain.com
WebLogicPort 7001
SecureProxy ON
WlSSLWallet "/MW_HOME/keystores/newwallet"
</Location>


Now start your OHS server, and try to access the proxied url, you should be able to make a successful connection. You can also confirm the same by capturing wireshark traces. 

Hope this helps... :-)

Useful links:

Enjoy :-)