DevOps hits enterprise

Honestly – small teams and startups have built in DevOps capabilities. Where a couple of people generating ideas, dropping the first lines of code, getting some cloud infrastructure up and running, deploying, running and permanently changing their own software, each of them has to know both universes: Dev and Ops.
For enterprises it’s some kind of more complex. Distributed development teams with hundreds of developers have to be integrated by a centralized IT department. Supplying development environments as well as on demand testing infrastructure, code repositories, build and test pipelines, automatic infrastructure provisioning, deployment pipelines and several pre-production and production stages.Sounds huge? It is! But – how does DevOps starts? 3 steps to get into.

Talk to each other
Set up a weekly (that’s enough for starting with) jour fixe. Attendees are developers, IT staff and management people. Discuss business plans, how business will grow, which features to implement and which impacts this has for providing and running tools and infrastructure. Let the ops be part of your dev planning meetings (assumes some sort of agile development framework is already implemented for your dev teams) will be the next step. But be aware: There’s usually 1 ops for n dev teams or dev team members. So involving ops into detailed dev planning will end up with an ops meeting marathon where the ops will have no time left for doing their jobs. So some sort of abstraction is necessary.

Use Checklists
Before automation is part of your daily business, use checklists to get your software or parts of it to production. I’m serious. Checklists ensure:

• Integrity of deployed software (use for example SHA256 for checksums of your packages)
• Antivirus scan – yes, it’s quite easy to inject some sort of malware during your build pipeline
• Detailed deployment steps – besides artefacts, which changes to apply e.g. to configuration files or database schema (and of course you’re using a database versioning tool like flyway :-)
• Approval – who finally approves your deployment? This could be a role like product management in conjunction with quality assurance (QA). No approval, no deployment!
• Inform all stakeholders on new release – keep an email template for announcements. Announce a new release before deployment and a after a successfully finished deployment.
• Ensure all required documents are ready – people would like to know what changed since version 2.0.0 and the new 2.1.0. So release notes are a good idea.

Start automation
A simple example - deploying artefacts to several JBoss instances:Deploying a module, hotfix or any other package throughout several stages with in sum 15 servers will take you say 30mins for each cycle, which includes (per server):

• SSH or RDP login to server
• Distribute package to server
• Copy files to deployment directory
• Check logs for errors

Automating this single task will end up in a 30sec deployment time:

• Copy package to single distribution server (yes, assumption is that you have some machine you can deal with which sits in the same network as your stages do)
• Run remote deployment using JBoss management interface

But that’s not out of the box. There’s a bunch of work to do:

• Configure (management interface) and secure (management user) JBoss servers for remote access
• Adjust firewall settings for remote access
• Maybe you have to set up your own management network with its own IP address range
• Write deployment scripts on distribution server and run them frequently (as cron jobs for example)
• Do heavy testing
• Maybe you will encounter running out of JVM PermGen on frequent deployments running Java 7
• Outcome of this is to upgrade to newer JVM version, which has a large impact to your dev and QA teams
• Create an output pipeline such as a website, email notification or monitoring integration to get feedback of your deployments – no problem, as long as everything is fine, but you should get notified in case of deployment errors

As you can imagine, there’s a large initial effort to get each single step automated and predictable up and running. It could take months to years to do so. But there’s a huge benefit taking a closer look on time reduction and reproducible behaviour.

What’s next?
Besides deployment of artefacts next steps could be implementing configuration management tools such as Puppet or Chef to deal with configuration files on your stages. Like your centralized deployment server there will be a centralized configuration management master to keep your stages configuration up to date.But before setting up configuration management tools you should think about streamlining your configuration across your stages. Make use of configuration files for stage specific settings such as database connectors or IP addresses.Culture first!

As I wrote in one of my recent articles DevOps – was bisher geschah (German only), introducing DevOps to grown structures, it’s about 80% culture and 20% tools. So start with culture:

• Blameless Postmortems (1): Get rid of your dev and ops divided thinking. Start analyse incidents without blaming each other.
• Faults happen: Don't try to avoid faults and incidents but have a plan when they happen
• Assumption: People doing their best. People are not evil by default trying to break a system
• Kill features nobody uses. Sounds simple but explain to a manager to kill features which took invest and man power to develop. Have fun! But throwbacks are part of the game. No management support, no DevOps!

___________________________
 (1) Thanks to @roidrage of giving an overview on this on Continuous Lifecycle Conference 2014 in Mannheim, Germany

How to distribute malware

I listened to lots of talks around continuous integration+delivery. Geek things happen there. There are commit and build stages along with test, provision and deploy stages. Tools like maven, jenkins, sonar, git, junit, puppet and docker are just some of the tools used for building CI/CD pipelines.

Where is the scan?

Seems nobody building those pipelines using a scan stage to ensure no virus or malware was injected throughout the quite complex process from writing a line of code to deploying an application to production. But why? Just forgotten? You're kidding! You guys building fully automated processes at the leading edge without ensuring your software is free of viruses and malware? No scan means automated, multiple per day deployment of malware.

Ok, I understand. You're trusting your developers. Oh, you're trusting your operators too. Is that enough? Which business impact you're afraid of in case you're distributing malware? Automated! Multiple deployments a day! I'm sure it's worth some thoughts on how to integrate automated antivirus scans.

Vendors, still smiling? What's your plan to integrate your scan engines to CI/CD? I never heard about a solution on that. Where's the ScaaS (Scan as a Service), which seamless integrates into pipelines? And all you leading Avira, Kaspersky, TrendMicro, Symantec and McAfees out there: Maybe it's time to implement a platform where all your technology is accessible. I'm going nuts thinking about the revenue of a pay-per-scan service. Remember: Multiple deployments per day/week to be scanned - per application per company.

JBoss EAP 6: Monitoring of XA datasources

Ever wondered about flapping pool size values when monitoring JBoss EAP xa datasource runtime values using e.g. Nagios?

Say you're running JBoss EAP 6.x. Using CLI (CLI HowTo) would display following output for reading TestDS runtime values:

[standalone@localhost:9999 /] /subsystem=datasources/xa-data-source=TestDS/statistics=pool/:read-resource(include-runtime=true)
{
    "outcome" => "success",
    "result" => {
        "ActiveCount" => "160",
        "AvailableCount" => "195",
        "AverageBlockingTime" => "19",
        "AverageCreationTime" => "836",
        "CreatedCount" => "160",
        "DestroyedCount" => "0",
        "InUseCount" => "5",
        "MaxCreationTime" => "7332",
        "MaxUsedCount" => "131",
        "MaxWaitCount" => "0",
        "MaxWaitTime" => "219",
        "TimedOut" => "0",
        "TotalBlockingTime" => "2998",
        "TotalCreationTime" => "133795"
    }
}
[standalone@localhost:9999 /]

Now ActiveCount are somehow active connection within the TestDS connection pool. AvailableCount is the configured max-pool-size (e.g. in standalone.xml) minus InUseCount . For monitoring purposes you'll need a fixed value like max-pool-size instead of AvailableCount . So it's quite a good idea to monitor InUseCount in relation to max-pool-size.

Retrieve max-pool-size as follows:

[standalone@localhost:9999 /] /subsystem=datasources/xa-data-source=TestDS:read-attribute(name=max-pool-size,include-defaults=true)
{
    "outcome" => "success",
    "result" => 200
}
[standalone@localhost:9999 /]

Took me some time to examine. So feel free to share!

Continuous Lifecycle 2014, Karlsruhe/Germany - My favourites

My favourites for Continuous Lifecycle 2014 in Karlsruhe/Germany so far:

Day 1 - 10.11.2014
Continuous Delivery und DevOps im Enterprise
Forget about the Tools – DevOps als Kultur
Continuous Delivery für das Frontend
Continuous Delivery mit Docker
CI-Umgebungen für Integrations- und Akzeptanztests mit Docker

Day 2 - 11.11.2014
Effektives Konfigurations-Management mit Chef, Vagrant und Veewee
Postmortems and Human Factors
Testgetriebene Infrastruktur als Code
The Hidden Driver of Continuous Delivery and DevOps
Konfigurationsmanagement - gewusst wie!
Sich selbst verstehen – der ELK-Stack in der Praxis
Continuous Delivery und Micro Services: Eine Symbiose

TimelineJS for offline usage

I really love TimelineJS as a nice and ease of use tool. But wait: How to use this tool offline? I spent hours crawling github and blogs. None of the mentioned worked for me. So here's the Alex way of using TimelineJS offline - no API loading from the web, no cloud based data hosting.

I used my local Windows 7 64bit and first put Apache 2 on my machine. Find Windows binaries here for download. Just do a straight default install and you're fine. Apache will install as Windows service and by default your htdocs web root will point to

C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs

Note Ensure no other service such as IIS or Tomcat already uses port 80 of your machine.

Then empty your htdocs directory and put content of tl.zip (click for download, MD5 fingerprint: ad715f5e39d903a7f1737b54f62d851c) in. The ZIP archive contains the following files/structures:

build
img
content.json
index.html

That's pretty much it. The build directory contains als necessary CSS and JS files - most important a copy of jQuery. Place your images you want to use in your timeline in the img directory. And your data resides JSON formatted in content.json file.

Now point your favourite web browser to http://localhost/ - you should see your timeline showing up. If not, please check Apache error log (default location C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs).

Enjoy building your timeline offline and publish to your intranet. Start play around with timeline customization. A good start is index.html timeline_config section.

Follow @APGlaeser

High Availability vs. Scalability

Ever wondered about the difference between high availability (HA) and 
scalability? For me, scalability has always something to do with clustering, where HA is a part of by design.

Man - Am I wrong!

Since I'm a visual addicted person, let's draw an example

Joe is using my application, which is clustered for load balancing reasons. So if one node of my cluster fails, automatically another one will do the work.

That's great, because I got a scalable application by simply adding nodes to my cluster. But is Joe happy too?

Nope. Joe browsed my web shop half an hour, when one of my nodes failed. Joe gets angry about, because he lost his shopping basket and needs to start over.

That's why I did lots of research and configuration work by adding inter node communication to my cluster to make Joe happy again. Now Joes non persistent information such as sessions are shared between nodes. And now my cluster has real high availability functionality implemented besides normal scalability features.

Sounds simple? It's not! In particular adding HA features is a bunch of work depending on your applications features and complexity. And it's much more than just running your application on multiple server instances. And we didn't even talk about the database backend your application relies on.

Adding load balancing in best case involves operations staff only. Adding HA definitely involves operations and software developers - the beginning of a premium DevOps project. Read my DevOps blog post (German language only)

What the ELK can do for you?

Taking a closer look on neccessary log file analysis I stumbled upon the ELK - a stack using Elasticsearch + Logstash + Kibana

So lets start with an example setup of these tools. Logstash comes with some kind of build in Kibana, but I used the seperate one.

Normally I'm the one who gets stuck with some kind of simple-to-solve-on-linux-system problems. But I got ELK up and running - so you'll do as well!

Elasticsearch acts as indexing data sink
Logstash takes and transforms logs and put them to Easticsearch
Kibana acts as GUI to nicely display results from Elasticsearch

Server

I used Ubuntu 14.04 LTS running as a VMWare or VirtualBox VM. You should have a server in place with network connectivity and SSH access to. That's my prerequisite - all others we're going to build up ourselves.

Take care of your servers disk space since we're dealing with log files. In my case around 14 GB of old logs (~80 mio log lines) to bring to ELK.

Packages

Install JDK and Apache

elk# apt-get update

elk# apt-get install openjdk-7-jdk

elk# apt-get install apache2
elk# apt-get install curl

Well done. That's it for the server configuration. Not kidding!

Logstash
Download Logstash. I choose ZIP version, DEB and RPM are available as well.

elk# curl -O https://download.elasticsearch.org/logstash/logstash/logstash-1.4.1.tar.gz
elk# mv logstash-1.4.1.tar.gz /opt
elk# tar xvfz /opt/logstash-1.4.1.tar.gz

Before starting Logstash we're going to prepare for log import. Assume a log file with the following structure (space delimited):

#api thread timestamp uid method execution_time result exn id

webapi 1462 2014-05-19T00:01:07.297 00000000-0000-0000-0000-000000000001 GetByName() 0 java.util.ArrayList 0 static

Paste this line of log to file /opt/logstash-1.4.1/20140520.log

Create a file /opt/logstash-1.4.1/import.conf with following content:

input {
  file {
         path   => [ "/opt/logstash-1.4.1/*.log" ]
         start_position => "beginning"
         discover_interval => 1
       }
}

filter {
  grok {
         patterns_dir => "/opt/logstash-1.4.1/patterns"
         match => [ "message", "%{DATA:api}%{SPACE}%{NUMBER:thread}%{SPACE}%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{UUID:usr}%{SPACE}%{DATA:method}%{SPACE}%{NUMBER:ms}%{SPACE}%{DATA:result}%{SPACE}%{DATA:exn}%{SPACE}%{DATA:id}" ]
       }
  date {
         match => [ "logdate", "ISO8601" ]
       }
}

output {
  elasticsearch {
    host => localhost
  }
}

Run Logstash using the new created config:

elk# /opt/logstash-1.4.1/bin/logstash -f /opt/logstash-1.4.1/import.conf &

Now Logstash starts importing all files with extension .log from /opt/logstash-1.4.1 directory. You'll get some processing infos to console since Logstash runs in current sessions background.

Elasticsearch

Download and run Elasticsearch.

elk# curl -O https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.1.1.tar.gz
elk# mv elasticsearch-1.1.1.tar.gz /opt
elk# tar xvfz /opt/elasticsearch-1.1.1.tar.gz
elk# /opt/elasticsearch-1.1.1/bin/elasticsearch &

Stop hyperventilate! I know about the issues sending processes to the background. But it's fine for a simpel and fast first impression to ELK. Sure, Logstash and Elasticsearch should be configured as services - but not now.

Kibana

Assuming Apache web root location at /var/www we're moving Kibana to this location.

Download and extract Kibana.

elk# curl -O https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.tar.gz
elk# mv kibana-3.1.0.tar.gz /var/www
elk# tar xvfz /var/www/kibana-3.1.0.tar.gz && mv /var/www/kibana-3.1.0/* /var/www

Adopt /var/www/config.js to point to Elasticsearch API, which runs on same host. Don't use localhost - instead use IP address or full qualified domain name (FQDN) of your host. Find elasticsearch parameter in config.js - Example:

elasticsearch: "http://10.0.0.2:9200"

Where as 10.0.0.2 is the IP address of your Elasticsearch host.

Done with Kibana.

Are you happy?

No! Point your favourite web browser to http://10.0.0.2/. Now you're happy because Kibana shows up. Use the Logstash Dashboard link to watch your index growing.

Now it's our turn. Crawl Logstash docs for more sophisticated log processing which fits your needs. Start with the ELK stack in general at the Elasticsearch page.

Follow @APGlaeser

Tech Art

Plain log data analysis sometimes turns into some kind of tech art. Visualizing a couple of millions of data rows I just got the shown picture as result.

Configure JBoss EAP with native SSL support

Ever tried to get all information you need to get JBoss EAP up and running using native SSL? No? Here's the Alex way getting EAP 6.1.0 with native SSL support up and running on Windows Server 2008 R2 64bit.

Prerequisite

• JBoss EAP 6.1.0 GA
• No usage of welcome-root (otherwise set flag enable-welcome-root to true in standalone.xml)
• Windows Server 2008 R2 64bit
• SSL private key file as plain text PEM format (RSA)
• SSL certificate as plain text PEM format
• SSL CA bundle as plain text PEM format

Solution

• Download Windows Server 2008 R2 64bit native libs from here (login required)
• Unpack and move lib folder including all sub content to your JBoss installation - say C:\jboss-eap-6.1\modules\system\layers\base\org\jboss\as\web\main
• Add/edit standalone.xml (Example path: C:\jboss-eap-6.1\standalone\configuration) as follows - important: set native attribute to true!

<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="true"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http" redirect-port="${jboss.https.port:8443}"/> <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">   <ssl name="ssl" certificate-key-file="../../cert/ssl-private-key.key" verify-client="false" certificate-file="../../cert/ssl-certificate.crt" ca-certificate-file="../../cert/ssl-cabundle.cabundle"/> </connector> <virtual-server name="default-host" enable-welcome-root="false">   <alias name="localhost"/>   <alias name="example.com"/> </virtual-server> </subsystem>

• Restart JBoss
• Check server.log for ERRORs - SSL loading is fine if

[org.apache.coyote.http11] (MSC service thread 1-3) JBWEB003000: Coyote HTTP/1.1 starting on: http-/0.0.0.0:443

• DONE