CMPE-172

Enterprise Software Platforms

Enterprise Software Platforms

Instructor: Andrew Bond

• Operating System History
• Compute Platforms
• Modern Enterprise Operating Systems
• Virtualization Overview (Bare Metal Deployment, Docker,
Hardware assisted Virtualization), Cloud Platforms
• Enterprise Administration (Puppet/Chef/Ansible/Nagios)

TOPIC #1 OPERATING SYSTEMS,

ADMINISTRATION, AND TOOLS
 Operating System
• An operating system (OS)
is system software that
manages computer
hardware and software
resources and provides
common services for
computer programs. The
operating system is an
essential component of
the system software in a
computer system
(Wikipedia)
 OS STRUCTURE
• Many early operating systems were
amazingly small: Sixth-Edition Unix, for
instance, had to fit into 64 KB of memory
• Monolithic approach
• two modes of execution, user mode (with the
fewest privileges) and privileged mode (with
the most)
• Traps are the general means for invoking the
kernel from user code
• Interrupts are requests from an external
device for a response from the processor
 PROCESSES, ADDRESS SPACES, AND
THREADS
• Process - Both an abstraction of memory — as an
address space — and as the abstraction of one or more
processors — as threads (or threads of control)
• Executable code, known as Text, occupies the lower-
addressed regions.
• Initialized data, known simply as Data, follows the Text
• Uninitialized data is known, cryptically, as BSS (block
started by symbol," a mnemonic from an ancient IBM
704 assembler)
• Dynamic region (malloc)
• Then comes a large hole in the address space and finally
a region, starting at the top and growing downwards,
containing the Stack
 Types of OS’s

• Single- and multi-tasking

• Single- and multi-user
• Distributed (clustered/networked/infiniband)
• Templated (VM/container template/image)
• Lightweight (minimal e.g. CoreOS)
• Embedded (IoT) / Real-time (event driven)
 Compute Platforms
• Mainframe (room)
• Micro (rack)
• Mini/PC (box)
• Virtualized / Containerized
• Hyperconverged (Cisco, Nutanix, etc..)
• White-box (Google/Facebook, OpenCompute,
etc..)
 Three Classes of Integrated Systems
Three classes of integrated systems defined in Gartner’s “Magic
Quadrant”
• Integrated stack system (ISS) —Hardware integrated with
application software to provide appliance or appliance-like
functionality. IBM Watson Platform, Oracle's Exadata Database
Machine
• Integrated infrastructure system (IIS) —Hardware integrated to
provide shared compute infrastructure. VCE Vblock, HP
ConvergedSystem and Lenovo Converged System (formerly
PureFlex).
• Hyperconverged integrated system (HCIS) — Tightly coupled
hardware that dispenses with the need for a regular storage area
network (SAN). Nutanix, Pivot3, Cisco Hyperflex
 Remote Management
• Cisco CIMC
• Dell Remote Access Card (DRAC)
• Sun (now Oracle): iLOM
• Intel RMM (remote management module)
• HP Integrated Lights-Out (iLO)
• IBM (now Lenovo) Integrated Management Module (IMM and IMM2)
• Common Functions:
– Reset the server (in case the server doesn't respond anymore via the normal network card)
– Power-up the server (possible to do this from a remote location, even if the server is shut down)
– Remote console (in some cases however an 'Advanced license' may be required for some of the
utilities to work)
– Mount remote physical CD/DVD drive or image
– Access the server's IML (Integrated Management Log)
• KVM/IP KVM (Raritan, Tripp Lite, Avocent, etc.)
Linux
MacOS (OS X)
Windows

MODERN ENTERPRISE OPERATING

SYSTEMS
 Linux
• http://arstechnica.com/information-
technology/2015/08/how-linux-was-born-as-
told-by-linus-torvalds-himself/
• Redhat, Debian/Ubuntu, SUSE
• History (Tanenbaum, etc..)
 Redhat, RHN and
CentOS
• Red Hat, Inc. is an American multinational software company providing open-source software
products to the enterprise community. Founded in 1993, Red Hat has its corporate headquarters in
Raleigh, North Carolina, with satellite offices worldwide
• Red Hat Network (RHN) is a systems-management services operated by Red Hat. RHN makes
updates, patches, and bug fixes of packages included within Red Hat Linux and Red Hat Enterprise
Linux available to subscribers. Other available features include the deployment of custom content
to, and the provisioning, configuration, reporting, monitoring of client systems.
• Red Hat Enterprise Linux (RHEL) is a Linux distribution developed by Red Hat and targeted toward
the commercial market. All of the Red Hat's official support and training, together with the Red Hat
Certification Program, focuses on the Red Hat Enterprise Linux platform. Red Hat Enterprise Linux
is often abbreviated to RHEL, although this is not an official designation
• Red Hat offers a proxy server (Red Hat Network Proxy) that once installed at a site allows machines
to securely download updates locally. Advanced lifecycle management; provisioning features, like
bare metal PXE boot provisioning; and monitoring features (e.g. centralized CPU and disk usage)
cannot be done over the Internet to the hosted RHN servers. These features require a RHN Satellite
Server running locally.
• CentOS (abbreviated from Community Enterprise Operating System) is a Linux distribution that
attempts to provide a free, enterprise-class, community-supported computing platform which aims
to be functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL).[5][6] In
January 2014, CentOS announced the official joining with Red Hat while staying independent from
RHEL,[7] under a new CentOS governing board
Berkeley Software Distribution
& BSD Flavors
• BSD is a Unix operating system derivative developed and distributed
by the Computer Systems Research Group (CSRG) of the University
of California, Berkeley, from 1977 to 1995
• Historically, a branch of Unix, Berkeley Unix, because it shared the
initial codebase and design with the original AT&T Unix operating
system
• Proprietary BSD derivatives were largely superseded by the UNIX
System V Release 4 and OSF/1
• later BSD releases provided a basis for several open source
development projects, e.g. FreeBSD, OpenBSD, NetBSD, Darwin or
PC-BSD, that are ongoing. These, in turn, have been incorporated in
whole or in part in modern proprietary operating systems, such as
Apple's OS X and iOS
 Ubuntu
• Ubuntu is a Debian-based Linux operating system and distribution, with Unity as
its default desktop environment for personal computers including smartphones in
later versions. Ubuntu also runs network servers. It is based on free software and
named after the Southern African philosophy of ubuntu (literally, "human-ness"),
which often is translated as "humanity towards others" or "the belief in a universal
bond of sharing that connects all humanity"
• Development of Ubuntu is led by UK-based Canonical Ltd., a company owned by
South African entrepreneur Mark Shuttleworth. Canonical generates revenue
through the sale of technical support and other services related to Ubuntu
• Every fourth release, issued on a two-year basis, long-term support (LTS) releases
include updates for new hardware, security patches and updates to the 'Ubuntu
stack' (cloud computing infrastructure), and are intended for environments where
long-term OS stability and minimal changes are required
 SUSE
• SUSE Linux Enterprise Server is a
Linux-based operating system
developed by SUSE. It is designed
for servers, mainframes, and
workstations
• IBM's Watson was built on IBM's
Power7 systems using SLES
• Mostly popular in Europe
 Unix INIT vs. systemd

• http://www.pcworld.com/article/2841873/me
et-systemd-the-controversial-project-taking-
over-a-linux-distro-near-you.html
Example: RedHat Boot Process

/etc/rc.d/
BIOS /etc/inittab
rc3.d

/etc/rc.d/
Linux rc.sysinit RL Specific
GRUB init
Kernel /etc/inittab
/etc/rc.d/rc

Login /etc/rc.d/
Shell rc5.d

Source: http://nmc.nchu.edu.tw/linux/Linux_boot.htm
Example: Redhat Startup Run Levels

RedHat Mode
1 (S) Single user
2 Multiuser (no networking)
3 Full Multiuser
4 Unused
5 X11
6 Reboot
0 Halt
 GNU

• GNU is a recursive acronym for "GNU's Not

Unix!“
• Free as in Freedom (not Free Beer), FSF
• Who is Richard Stallman (rms), and why should I
care? (gcc gdb, emacs, FSF)
• The Cathedral and the Bazaar, Eric Raymond’s
essay on the Linux kernel development process
and his experiences managing an open source
project. It examines the struggle between top-
down and bottom-up design.
 MacOS (OS X)

• OS X is built on technologies developed at NeXT

between the second half of the 1980s and
Apple's purchase of the company in late 1996
• OS X is the second-most-active general-purpose
client operating system in use on the World Wide
Web, (after Microsoft Windows), with an 8.45%
usage share
• Some essential Mac tools for IT admins
Microsoft Windows is a group of
several graphical operating system
families, all of which are
developed, marketed, and sold by
Microsoft
Active Windows families include:
• Windows NT
• Windows Embedded
• Windows Embedded
Compact
• Windows Server
Defunct Windows families include:
• Windows 9x
• Windows Mobile
• Windows Phone.
https://en.wikipedia.org/wiki/Microsoft_Windows
 OS Services
• Directory Services (LDAP, AD, DNS)
• OS Firewall
• VPN/Encryption
• Antivirus / AntiSpam / anti-
malware/spyware/ransomeware
• Print Clients
• Patching / Updating / Upgrading
• Remote management (SNMP/Telegraf)
• Web Services (Web Server / REST API)
• License Server
WINDOWS AD
 What is Active Directory
Domain
• What is Active •
Services

Internal
Directory? Federation
Services •
Accounts
Authorization
Certificate
Services
• Network • Authentication • Identity
– A collection of Access for
External
• Non-
Repudiation

services (Server Roles Resources

Active Directory
and Features) used to • Identity
• Access
manage identity and Rights
Management
• Centralized
Management
Lightweight
Directory
access for and to Services Services
• Content • Application
resources on a Security and
Control
Templates

network
Directory data store
• Uses a structured data store as the basis for a logical, hierarchical organization of directory information
• Objects typically include shared resources such as servers, volumes, printers, and the network user and
computer accounts
Security
• Security is integrated with Active Directory through logon authentication and access control to objects in
the directory. With a single network logon, administrators can manage directory data and organization
throughout their network, and authorized network users can access resources anywhere on the network.
Policy-based administration eases the management of even the most complex network.
Active Directory also includes:
• A set of rules, the schema, that defines the classes of objects and attributes contained in the directory,
the constraints and limits on instances of these objects, and the format of their names. For more
information about the schema, see Schema.
• A global catalog that contains information about every object in the directory. This allows users and
administrators to find directory information regardless of which domain in the directory actually contains
the data. For more information about the global catalog, see The role of the global catalog.
• A query and index mechanism, so that objects and their properties can be published and found by
network users or applications. For more information about querying the directory, see Finding directory
information.
• A replication service that distributes directory data across a network. All domain controllers in a domain
participate in replication and contain a complete copy of all directory information for their domain. Any
change to directory data is replicated to all domain controllers in the domain. For more information
about Active Directory replication, see Replication overview.
 Active Directory Roles
• AD Domain Services (AD DS)
– Users, Computers, Policies
• AD Certificate Services (AD CS)
– Service, Client, Server and User identification
• AD Federation Services (AD FS)
– Resource access across traditional boundaries
• AD Rights Management Services (AD RMS)
– Maintain security of data
• AD Lightweight Directory Services (AD LDS)
 What is AD DS?
Windows
Server
• What is Active Windows
•
•
Mgmt Profile
Network Info Windows
Directory Domain User •
•
Printers
Shares
Client
• Mgmt Profile
• Account
Services? •
Information
Privileges
• Network Info
• Policies

– A directory service is •
•
Profiles
Policies Active Directory
Domain Services
both the directory • Manageability
information source •
•
Security
Interoperability
Email Network
and the service that Servers Devices

makes the • Mailbox Applications • Config

Information • QoS Policy
information available • Address
• Server
Config • Security
Book Policy
and usable • SSO
• App-
Specific
– A phone book… Directory
Info
 What does AD DS do?
• Scalable, secure, and manageable infrastructure
for user and resource management
– stores and manages information about network
resources
– provides support for directory-enabled applications
such as Microsoft® Exchange Server
– allows for centralized management
 What is AD CS?
• Certificate Services: is the Certificate

Microsoft implementation 2 Signing

Request Enrollment

of Public Key Infrastructure Certificate

3

x.509 Certificate Chain

(PKI) Repository

End-Entities
(users or

• PKI is a set of hardware, Certificatio

n
Certificate
Retrieval 4 1
computers)

software, people, policies, Revocation

Repository
CRL

and procedures needed to Retrieval Certificate

Revocation
List
create, manage, distribute, 5

use, store, and revoke digital Revocation Request

certificates
 What does AD CS do?
• AD CS provides customizable services for issuing
and managing digital certificates
– Certification Authorities
– CA Web Enrollment
– Online Responders
– Network Device Enrollment Service (NDES)
– Certificate Enrollment Web Service
– Certificate Enrollment Policy Web Service
 What is AD FS?
• Federation AD DS
Services: A
software Web
Server
component Federation Trust
that
facilitates Account Resource
the cross- Federation
Server
Federation
Server
organization
al access of Account Partner Resource Partner
systems and Organization Organization

applications
 What does AD FS do?
• The AD FS server role provides simplified,
secured identity federation and Web single sign-
on (SSO) capabilities.
– enables the creation of trust relationships between
two organizations
– provides access to applications between
organizations
– provides Single Sign-on (SSO) between two different
directories for Web-based applications
• AD FS is Microsoft's implementation of the WS-
Federation Passive Requestor Profile protocol
(passive indicates that the client requirements
are just a cookie- and JavaScript-enabled Web
browser)
• AD FS implements the standards based WS-
Federation protocol and Security Assertion
Markup Language (SAML).
 What is AD RMS?
• Active Directory
Rights Management
Services: is an RMS
Server
information
protection
technology that
works with
applications to
safeguard digital
Information
Author
Recipient

information
 What does AD RMS do?
• Allows individuals and administrators to specify
access permissions to documents, workbooks,
and presentations
– prevent sensitive information from being printed,
forwarded, or copied by unauthorized people
– access and usage restrictions are enforced no matter
where the information is located
 What is AD LDS?
• AD LDS is a Lightweight Windows Network
Devices
User
Directory Access Protocol • Account
• Config
(LDAP) directory service that Information
• QoS Policy
• Privileges
provides flexible support for • Profiles
• Security
Policy
Policies
directory-enabled •

applications, without the Active Directory

dependencies that are LDS
required for Active Directory • Manageability
• Security
Domain Services (AD DS) • Interoperability
Email Applications
• AD LDS is a hierarchical file- Servers • Server
Config
based directory store • Mailbox • SSO
Information • App-
• AD LDS is both the directory • Address
Book
Specific
Directory
information source and the Info
service that makes the
information available and
usable
 What does AD LDS do?
• Lightweight Directory Access Protocol (LDAP)
– Directory service that provides flexible support for
directory-enabled applications, without the
dependencies and domain-related restrictions of AD
DS
– Provide directory services for directory-enabled
applications without incurring the overhead of
domains and forests
– No requirement for a single schema throughout a
forest
How AD LDS Works

AD LDS is a hierarchical file- Uses the Extensible Storage

based directory store Engine (ESE) for file storage

ESE

AD LDS can be accessed via The store is organized into three

LDAP partitions types:
Configuration
Schema
Application
What Is the AD LDS Schema?

AD LDS Schema defines the types of objects and data that can be created and stored
in an AD LDS instance using object classes and attributes

Schema Partition Application Partition

Directory objects
Definition for an
based on the
automobile object
automobile object
class
class

Directory objects
Definition for a user based on the user
object class object class
AD LDS Users and Groups

AD LDS provides four default, role-based groups stored

in the roles container of the appropriate partitions

Role Default Members Default Access

Configuration partition: AD LDS administrators that are

assigned during AD LDS setup Full access to all
Administrators partitions
Application partitions: The Administrators group from the
configuration partition

Read access to the

Readers None
partition

Configuration partition: Transitively, all AD LDS users

Users Application partitions: Transitively, all AD LDS users that are None
created in the partition

Instances Configuration partition: All instances

How Does Access Control Work in AD LDS?

AD LDS Access Control:

1 Authenticates the identity of users requesting access to the directory, allowing
only successfully authenticated users into the directory

2 Uses security descriptors, called access control lists (ACLs), on directory

objects to determine which objects an authenticated user can access
SAML
 What is SAML?
• What is SAML?
– Security Assertion and Markup Language is an XML-
based standard for exchanging authentication and
authorization between security domains.

• Why is it Important?
– SAML abstracts the security away from platform
architectures and vendor implementations.
 SAML 2.0 Anatomy
• Protocols
– Assertion Query and Request Protocols
– Authentication Request Protocol
– Artifact Resolution Protocol
– Name Identifier Management Protocol
– Single Logout Protocol

• Bindings
– SAML SOAP Binding
– Reverse SOAP Binding
– HTTP Artifact Binding
– SAML URI Binding

• Profiles
– SSO Profile – Most important
 How Web Services Interact
• Web Service Choreography
– Relationships between web services are dynamic
– Decisions are made between individual web services
– No single web service is in control
– Typically used when web services share information
between domains

• Web Service Orchestration

– Frequently Unified
– Typical design for web services within a domain.
– One Web Service typically in control of others
Web Service Choreography
Web Service Orchestration
VFS
Optimizations
Examples

FILESYSTEMS
 Different types of file systems
• Local file systems
– Stored data on local hard drives, SSDs, floppy drives, optical
disks or etc.
– Examples: NTFS, EXT4, HFS+, ZFS
• Network/distributed file systems
– Stored data on remote file server(s)
– Example: NFS, CIFS/Samba, AFP, Hadoop DFS, Ceph
• Pseudo file systems
– Example: procfs, devfs, tmpfs
• “List of file systems”
– http://en.wikipedia.org/wiki/List_of_file_systems
Overall Architecture of Linux file
system components

Acknowledgement: “Anatomy of the Linux file system”, IBM

developerWorks.
 Virtual File System (VFS)
• VFS is the essential concept in UNIX-like FS
– Specify an interface between the kernel and a concrete file
system
• Introduced by SUN in 1985
– Pass system calls to the underlying file systems
• E.g. pass sys_write() to Ext4 (i.e. ext4_write())
• Three major metadata in VFS
– Metadata: the data about data (wikipedia)
– Super block, dentry and inode
– OO design
• Each component defines a set of data members and the functions to
access them
 Super block
• A segment of metadata that describes a file
system
– Is constructed when mount a file system
– Usually, a persistent copy of super block is stored in
the beginning of a storage device
– Describes:
• File system type, size, status (e.g. dirty bit, read only bit)
• Block size, max file bytes, device size..
• How to find other metadata and data.
• How to manipulates these data (i.e. sb_ops)
 Inode
• “Index-node” in Unix-style file system
– All information about one file (or directory)
• Except its name
– In UNIX-like system, file names are stored in the directory file:
the content of it is an “array” of file names
• E.g. owner, access rights, mode, size, time and etc.
• Pointers to data
 Directory Entry (dentry)
• Dentry conceptually points a file name to its
corresponding Inode
– Each file/directory has a dentry presenting it
– File systems use dentry to lookup a file in the
hierarchical namespace
• Each dentry has a pointer to the dentry of its parent
directory
• Each dentry of a directory has a list of dentries of its
sub-directories and sub-files
 Optimizations
• Most of file system optimizations are designed
based on the characteristics of the memory
hierarchy and storage devices.
– Recall:
• RAM 50-100 ns
• Disks: 5-10 ms
• 2-3 orders of magnitude difference
• Almost all widely used local file systems are designed for
hard disk drives, which have their unique characteristics
 Hard Disk Drive (HDD)
• Stores data on one or
more rotating disks,
coated with magnetic
material
– Introduce by IBM in
1956
– Use magnetic head to
read data
The very early HDD….. vs.

Acknowledge to:
 General Optimizations
• Based on two principles:
– RAM access is much faster than the access on disk
– Sequential IOs is much faster than random IOs on disk
• So we design file systems that
– Largely utilizes CPU/RAM to reduce IO to disks
(various caches/write buffers)
– Prefers sequential IOs
• Computes disk layout to arrange related data sequentially
located on disks
 Dcache
• Dentry cache (dcache)
– Directories are stored as files on disks.
– For each file lookup, we want obtain the inode from the
given full file path
• OS looks the dentries from the root to all parent directories in the
path.
– E.g. for looking up file “/Users/john/Documents/course.pdf”, OS needs
traverse the dentries that presents “/”, “Users”, “john”, “Documents”,
and “course.pdf”
– To accelerate this:
• We use a global hash table (dcache) to map “file path” -> dentry
• A two-list solution: one for active dentries, and one for “recent
unused dentries” (LRU).
 Inode cache
• Similar to the dcache,
OS maintains a cache P1 P2 P10 Processes

for inode objects. f0 f1 f0 f2 f3 f0

File
Objects

– Each inode object has 1- Dentry 0 Dentry 10

Dentry Cache (hash table)

Dentry 20

to-1 relation to a dentry VFS

Inode 0 Inode 10 Inode 20

– If the dentry object is Inode Cache

evicted, this inode is Page

Cache 0
Page
Cache 10
Page
Cache 20
Page Cache
(Radix Tree)

evicted
 Page Cache
• …a “transparent” buffer for disk-backed pages kept in RAM
for fast access… [wikipedia]
– A write-back cache
– Main purpose: reducing the # of IOs to disks
– Access based on page (usually 4KB).
• Page cache is per-file based.
• A Redix-tree in inode object.
• Prefetch pages to serve future read
• Absorb writes to reduce # of IOs
– The dirty pages (modified) are flushed to disks for : 1) each 30s
or 5s, or 2) OS wants to reclaim RAMs
• Also can be forced to flush by calling “fsync()” system call
 Examples
• Several concrete file system designs
– Ext4, classic UNIX-like file system concepts
– NTFS, advanced Windows file system
– ZFS, “the last word of file system”
– NFS, a standard network file system
– Google File System, a special distributed file
system for special requirements
 Ext4
• The latest version of the
“extended file system”
(Ext2/3/4)
– The standard Linux file
system for a long time
– Inspired from UFS from
BSD/Solaris
– Group files to block groups
• Keep file data near to
inodes

Ack: http://bit.ly/tjipWY
 NTFS
• “New Technology File
System” (NTFS)
– The standard file system
in Windows world.
– A Master File Table
(MFT) contains all
metadata.
• Directory is also a file
 ZFS
• ZFS: “the last word of file system”
– The most advanced local file system in production
– 128 bits space (2128 bytes in theory)
• larger the # of sand in the earth…
– A lot of advanced features:
• E.g. transactional commits, end-to-end integration,
snapshot, volume management and much more…
– Will never lose data and always be consistent.
• Every OS community wants to clone or copy its features…
– Btrfs on Linux, ReFS on Windows, ZFS on FreeBSD
 NFS
• “Network File System
(NFS)”
– A protocol developed by
SUN in 1984
• A set of RPC calls
– IETF standard
• Supported by all major
OSs
– Simple and efficient
 Google File System (GFS)
• A large distributed file
system specially designed
for MapReduce framework
– High throughput
– High availability
– Special designed. Not
compatible to VFS/POSIX API.
• Requires clients linked to the
GFS library.
• Hadoop DFS clones the
concepts of GFS
 More File Systems
• Interesting file systems that are worth to explore
– Btrfs (B-tree FS) from oracle, expected to be the next
standard Linux file system. Many concepts are shared with
ZFS.
– ReFS: The file system for Windows 8 (from Microsoft).
Many concepts are shared with ZFS (too!).
– WAFL (Write Anywhere File Layout) file system from
NetApp.
– FUSE (Filesystem in Userspace): a cross-platform library
that allows developers to write file system running in user
mode
Fiber (or Fibre) Channel
SAN
vSAN
Security

STORAGE NETWORKING
 Glossary of Terms
• SAN – Storage Area Network. A network of switches, typically fibre channel used for carrying SCSI or
FICON traffic
• FC – Fibre Channel. A protocol used to carry SCSI or FICON packets containing IO commands from a
server to a storage array
• SCSI – Small Computer System Interface. A bus based system or protocol used to carry block based
storage commands
• iSCSI – An IP based protocol capable of carrying SCSI commands to and from storage devices
• FICON – The protocol used to carry mainframe based IO
• MDS – The Cisco family of datacenter switches capable of carrying fiber channel traffic
• VSAN – Virtual SANs. A feature capable of creating logical SANs on a physical SAN infrastructure
• FCIP – Fibre Channel over IP. The protocol used to tunnel fiber channel packets over an IP
infrastructure. Used for extending a Fibre Channel SAN over long distances
 What Is Fiber Channel?
• SCSI is a standard that defines an
interface between an initiator
Applications
(usually a computer) and a target Half-Duplex
(usually a storage device such as a File System I/O Channel
hard disk)
Block Device

• Logical Unit Number (LUN): A 64-

SCSI Generic
bit field within SCSI that identifies
the logically addressable unit
within a target SCSI device TCP/IP Stack

SCSI
NIC Driver Adapter Driver
SCSI I/O channel provides half-
duplex pipe for SCSI command, NIC Adapter SCSI Adapter
data, and status
• SCSI I/O channel can be internal or
external to host SCSI
Initiator
• Multiple SCSI I/O channels can SCSI
exist within host Target
 What Is a SAN?
The SCSI I/O Channel - Starting Point
• SCSI is a standard that defines an
interface between an initiator
Applications
(usually a computer) and a target Half-Duplex
(usually a storage device such as a File System I/O Channel
hard disk)
Block Device

• Logical Unit Number (LUN): A 64-

SCSI Generic
bit field within SCSI that identifies
the logically addressable unit
within a target SCSI device TCP/IP Stack

SCSI
NIC Driver Adapter Driver
SCSI I/O channel provides half-
duplex pipe for SCSI command, NIC Adapter SCSI Adapter
data, and status
• SCSI I/O channel can be internal or
external to host SCSI
Initiator
• Multiple SCSI I/O channels can SCSI
exist within host Target
 Storage Area Network (SAN)
• Same SCSI protocol carried over a Clients
network transport via serial
implementation
• Transport must not jeopardize SCSI LAN
payload (security, integrity, latency)
• Two primary transports to choose
from today, namely IP and Fibre Servers
Channel
• Fibre Channel provides high-speed Fibre
transport for SCSI payload via Host Channel
Bus Adapter (HBA) SAN

• Fibre Channel overcomes many Block

shortcomings of parallel I/O and Storage
combines best attributes of a channel Devices
and a network together
Characteristics and requirements of the SCSI protocol and emulating raw
block disk to the OS define the necessary fabric capabilities and design
Thursday
IT APPLICATION MODELS AND
ECOSYSTEM
 Changing Application Models
Bare metal Virtualisation Containers
Server Server App App
App App App
App App App
OS OS OS
OS Hypervisor OS

Monolithic Apps Scale out Microservices

Rapidly Evolving Container Eco-System
Schedule/Orchestrate

Stacks
Fleet

Containers
UCP

OCI

OS
CONTAINERS: DOCKER
• What is Docker?
Docker is an open-source project
that automates the deployment
of applications inside software
containers, by providing an
additional layer of abstraction and
automation of operating system–
level virtualization on Linux.
[Source: en.wikipedia.org]

80
• Docker [www.docker.com]
Source: leo.org

• Provide a uniformed wrapper around a

software package:
• «Build, Ship and Run Any App, Anywhere»
[www.docker.com]

– Similar to shipping containers: The container is always the

same, regardless of the contents and thus fits on all
trucks, cranes, ships, ...

81
• Docker vs. Virtual Machine

Source: https://www.docker.com/whatisdocker/

82
 • Docker Technology

• libvirt: Platform Virtualization

• LXC (LinuX Containers): Multiple
isolated Linux systems (containers)
on a single host
• Layered File System

[Source: https://docs.docker.com/terms/layer/]

83
 Run Platforms

• Various Linux distributions (Ubuntu, Fedora,

RHEL, Centos, openSUSE, ...)
• Cloud (Amazon EC2, Google Compute Engine,
Rackspace)
• 2014-10: Microsoft announces plans to
integrate Docker with next release of
Windows Server:
https://docs.docker.com/docker-for-windows/
84
 Hello World

Simple Command - Ad-Hoc Container

• Let’s run a hello world container.

$ docker run ubuntu /bin/echo 'Hello world'

Hello world

https://docs.docker.com/engine/tutorials/dockerizing/

85
 Terminology - Image
• Persisted snapshot that can be run
– images: List all local images
– run: Create a container from an image and execute a
command in it
– tag: Tag an image
– pull: Download image from repository
– rmi: Delete a local image
This will also remove intermediate images if no longer used

86
 Terminology - Container
• Runnable instance of an image
– ps: List all running containers
– ps –a: List all containers (incl. stopped)
– top: Display processes of a container
– start: Start a stopped container
– stop: Stop a running container
– pause: Pause all processes within a container
– rm: Delete a container
– commit: Create an image from a container

87
 Image vs. Container
Base Image run Container
ubuntu:latest cid1

base image cmd  new state

New Image commit Container

iid1 cid1
run
Container
cid2
Container
cid3
Container
cid4

88
 Dockerfile

• Create images automatically using a build

script: «Dockerfile»
• Can be versioned in a version control system
like Git or SVN, along with all dependencies
• Docker Hub can automatically build images
based on dockerfiles on Github

89
 Dockerfile Example
• Dockerfile:
– FROM ubuntu
ENV DOCK_MESSAGE Hello World
ADD dir /files
CMD ["bash", “myScript"]
• docker build [DockerFileDir]
• docker inspect [imageId]

90
 Docker Tools & Ecosystem
• Docker Images: Docker Hub
• Docker Swarm/Compose:
App/Cluster integration
• Kubernates: Automated container
deployment, scaling, and
management
• Vagrant: VM lifecycle
management
• Automated Setup
– Puppet, Chef, Ansible, ...
• Docker Ecosystem
– skydock/skydns: Service
discovery via DNS for docker

91
 Docker Hub
Docker Hub is a cloud-based registration
service
• Online code repositories
• Build your images and test them
• Stores manually pushed images, and
links to Docker Cloud(deploy and
manage Dockerized applications)
• Centralized resource for:
– Container image discovery
– Distribution
– Change management
– User and team collaboration
– Workflow automation throughout
the development pipeline

92
 Docker Use Cases
• Development Environment
• Environments for Integration Tests
• Quick evaluation of software
• Microservices
• Multi-Tenancy
• Unified execution environment (dev  test 
prod (local, VM, cloud, ...)

93
PUPPET/CHEF/ANSIBLE
Configuration Management Tools
 What are Puppet and Chef?

• Puppet is a next-generation server automation tool. It is composed of a declarative

language for expressing system configuration, a client and server for distributing it,
and a library for realizing the configuration.
• Chef is a configuration management tool written in Ruby and Erlang. It uses a pure-
Ruby, domain-specific language (DSL) for writing system configuration "recipes".
Chef is used to streamline the task of configuring & maintaining a company's
servers, and can integrate with cloud-based platforms such as Rackspace and
Amazon EC2 to automatically provision and configure new machines.
 What is Ansible?
• Ansible is an IT automation engine that Sample Playbook
automates cloud provisioning, configuration ---
management, application deployment, intra-
service orchestration, and many other IT layer3ip:
- { interface: vlan10, ip: 10.1.10.3, mask: 24 }
needs. - { interface: vlan20, ip: 10.1.20.3, mask: 24 }

• It uses no agents and no additional custom vpc:

security infrastructure, it uses a very simple domain: 100
language (YAML, in the form of Ansible systempri: 2000
rolepri: 2000
Playbooks) that allow you to describe your pkl:
automation jobs in a way that approaches src: 10.1.20.3
plain English. dest: 10.1.20.2
vrf: keepalive

hsrp_priority: 100

https://github.com/jedelman8/nxos-ansible
 Declarative vs Imperative
Puppet (declarative) Shell script (imperative)

user { ‘cgascoig’ : #!/bin/bash

ensure => present,
gid => ‘admin’, if ! getent group sysadmin >/dev/null
} then
echo "Group sysadmin does not exist, creating"
groupadd sysadmin
group { ‘admin’ : fi
ensure => present,
} if ! getent passwd chris >/dev/null
then
echo "User chris does not exist, creating"
useradd --gid sysadmin chris
fi

USERGROUPID=`getent passwd chris | awk -F: '{print $4}'`

USERGROUPNAME=`getent group $USERGROUPID | awk -F: '{print
$1}'`

if [ "$USERGROUPNAME" != "sysadmin" ]
then
echo "Primary group of user chris is not sysadmin,
updating"
usermod --gid sysadmin chris
fi
 Why Automation?
• Tasks in code
• Collaboration
• Eliminate errors
• Write once
• Laziness
• Etc….
 Why Ansible
• It is a free open source application
• Agent-less – No need for agent installation and management
• Phython/yaml based
• Highly flexible and configuration management of systems.
• Large number of ready to use modules for system management
• Custom modules can be added if needed
• Configuration roll-back in case of error
• Simple and human readable
• Self documenting
Ansible Architecture
 Installation of Ansible

Install packages below on the Server Machine

$ sudo apt-get install python-yaml
python-jinja2 python-paramiko python-
crypto python-keyczar ansible

Install packages below on the Client Machines

$ sudo apt-get install python-crypto
python-keyczar
 Create the RSA Key Pair
• The first step is to create the key pair on the Server machine
$ ssh-keygen –t rsa

• Once you have entered the Gen Key command, you will get a few
more questions:
• Enter file in which to save the key (/home/test/.ssh/id_rsa):
• Enter no password for the next prompt
• Copy the Public Key
ssh-copy-id test@192.168.85.135
• Repeat the same process for other machines you wish to login
automatically with.
• Ensure the test username has sudo access to the remote clients
 Configuration of ansible
• Do the following on the Server machine
• Create the list of client machines you wish to access via this server
• vi /etc/ansible/hosts ( And enter the following lines and save file)
[Servers]
<Address #1>
<Address #2>

• Run the ping command below to see if indeed you are reaching
both client nodes
ansible -m ping all
 Examples of ansible commands
• The output show ping result success as shown
below
 Examples of ansible commands (Cnt)
• How to run commands to fetch hard drives utilization
• ansible -m command -a 'df -h' Servers

• How to run commands to fetch system uptime

• ansible -m command -a ‘uptime' Servers
 Examples of ansible commands ( Cnt)
• The full configuration environment inventory of a
particular client machine can be obtain using the
command below.
ansible -m setup 192.168.85.135 (output as
shown below)
Creating an ansible-playbook template
• Create a template to enable the installation of
an NTP service with content as shown below
and file saved as ntp.yml
 Understanding ansible playbook
configurations
• In order to use ansible with SSH passwords you will need to install
the program below
• sudo apt-get install sshpass
• Ansible-playbook command can be executed to run the ntp.yml file
as below
ansible-playbook -k -K ntp.yml
• The –k –K switches allow you to be able to use your ssh key and
passwordless sudo.
• Every playbook configuration begins with triple dash ( ----)
• The hosts, tasks, name, action are various instructions commands
to help automate your ntp installation process.
 Understanding ansible playbook
configurations (cnt)
• The output of the ansible-playbook command as below
 Ansible Documentation
• You can find more explanation in the Ansible
Docs.
– Ad-hoc commands
– Inventories
– Variables
– Modules
– Playbook Roles
 References
• Operating Systems, Sibsankar Haldar; Alex Aravind, Pearson, 2009
• The Open Group’s “Unix Past”: http://www.unix.org/what_is_unix/history_timeline.html
• The Technical and Social History of Software Engineering, Capers Jones, Addison-Wesley, 2013
• http://afnog.github.io/sse/ansible/Ansible_Presentation.pptx
• http://download.microsoft.com/download/5/9/8/5987FA9D-06DF-4B71-97DB-EA8E5649C126/01-
Introduction%20to%20Active%20Directory.pptx
• http://download.microsoft.com/download/2/1/B/21BF1D7C-F865-4CC2-B390-FCA461498DA9/06-
Active%20Directory%20Lightweight%20Directory%20Services.pptx

NIST (National Institute for Standards and Technology), Guide to Secure Web Services
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

OASIS (Organization for the Advancement of Structured Information Standards):

Authorization Context for the OASIS Security Service Markup Language (SAML) V2.0
http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf
 Homework
• For next week, please read:
– Newman (ch. 2)
– Understanding IP Addressing:
https://www.cisco.com/c/en/us/support/docs/ip/r
outing-information-protocol-rip/13788-3.pdf