With the work that I’ve been doing with Open Street Map (here), I’ve been provisioning Pelias (here) – an open-source implementation of geocoding. This architecture is not small (consisting of 10+ docker images, and potentially 100+GB of raw geo data) especially if you are looking to geocode the whole world. The workload (or pipeline) had 4 main stages – download, prepare, import and query.
Download – to get the raw data sources
Prepare – to get the raw data into a format that can be easily imported
Import – to import the data into the elastic search (which is the backend)
Query – to accept geocode queries
Each of these stages have different performance characteristics and required different resources. The main thing that I’m looking at here is the use of compute. The need for compute during the prepare and import stages is significantly different from the download and query stages. I’m also not confidently in terms of when or how much I need.
And this is why I configured a burstable instance.
Here’s a couple of things to know …
There is a baseline utilisation OCPU. Consider this as a the minimum compute you want. For my scenario, it was primarily how much compute that I needed for the download and query stages.
There is full utilisation OCPU. Where this is can be 2x or 8x the baseline utilisation. (in the terms of the documentation – the baseline utilisation can be either 12.5% or 50% of the full utilisation OCPU). For my scenario, it was primarily the prepare and import stages that needed the additional compute.
The increased capacity is based upon the CPU utilisation metrics to determine whether to burst.
The average CPU utilisation for the month needs to up to the baseline utilisation OCPU.
Burstable Instances billing is known. It doesn’t come with Bill Shock.
You can find out more about Oracle Cloud Infrastructure burstable instances (here). If you want to try this out yourself or work on your own application, sign-up (here) for the free Oracle Cloud Trial. I’d be interested to hear your experiences and learn from others as well. Leave a comment or contact me at email@example.com if you want to collaborate.
Each of us will read this from our own perspective. Equally diverse are the outcomes and the actions that you might want to take away from this. So, I ask you: Be open. Find the opportunity. And execute.
This is something that we’ve built for the purposes of an infrastructure demonstration of Oracle Cloud Infrastructure (OCI). The code is available in an open public github repository and we’ve written articles on specific capabilities. We are open to collaborate in building more scenarios which allows this demonstration to scale.
After building out the OCI Arcade on Oracle Always Free Tier (check out a recent blog here), I was on a roll. What was next? The inspiration came after a virtual session with some other mentors that I was working with. The need to share code, have an environment that was easy to use as well as provide a method of multiples users developing in the same workspace.
I remembered back in 2016, that I used Cloud9 which was a development environment that I could plug into with a full Java environment. We used to for our Developer Experience workshop for some client-side dev (with the client-side installation issues). Cloud9 which since got bought by AWS. And then a few years ago, Eclipse Che and Codenvy surfaced as a potential alternative. It’s still around and going strong from what I see. And I dug a little deeper into Che and found that Che’s browser-based development environment is based upon a project called Theia – a Cloud and Desktop IDE. … So bingo … here it is Theia-IDE deployed into Oracle Always Free Tier for cloud-based / browser development environment. Check out more about what we did.
(Update – 3 December 2021 – There’s been some changes to the docker hub images that were originally used. They are no longer available and hence this is currently broken if you try it. I’ve been investigating the use of the Theia-Blueprint repository to build the cloud environment which seems to be going ok. More to come).
I’ve started posting articles related to the project that @stantanev and a few of us are working on. This is snapshot of the puzzle that is to build out a APIs on the Oracle Always Free Tier.
As a demonstration of capability, we built a few different APIs using fnproject (https://fnproject.io/) – an open-source container-native serverless platform. As part of Oracle Cloud Infrastructure, there’s Oracle Functions which is the managed Function-as-a-Service based upon this same project.
Let’s take a look at it here and see what it took to get going. Also, this is being deployed into VM.Standard.E2.1.Micro compute shapes (which is 1 OCPU and 1GB of memory) and hence there are some considerations to make sure we get the most out of the kit we have access to (for free).
On August 17th, we’ll be announcing winners of the #BuildWithAI hackathon and it will be live-streamed on youtube – https://youtu.be/URuB0FtBIJo (note – set your reminder). Cassie Kozyrkov (Chief Decision Scientist, Google), Steve Nouri (Board Member, Hackmakers), Cherie Ryan (Regional MD of ANZ and VP, Oracle) as well as an all-star judging line-up will be there.
Before we get to that, lets rewind, fast-forward and bring together some of the interesting points of the #BuildWithAI hackathon – an event that was truly global in its nature hosted by Hackmakers (https://hackmakers.com/).
July 24th 11:45am AEST – I received a calendar alert for the Leader Mentor Zoom session for the #BuildWithAI hackathon. Trying to finish as many of the things that I needed to get done before I joined this call. This will be interesting. Watching the number of competitors join the event’s slack workspace climbing from a hundred users when I first joined, to now over 3,500 users in the #introductions channel, it was an unique experience. I’m thinking about lots of different things from past hackathons that I’ve participated, mentored, sponsored, hosted – how will this one be any different. I’ll just have to wait and see. And better yet, give to the community and the competitors as much as I can in the time we have.
This moment was not the beginning nor the end of this experience. It was somewhere in between. I’ll give you some background.
Over the past couple of weeks, there’s been another Viz for Social Good project that was running. For this project, the supporter was Kiron Open Higher Education (https://kiron.ngo/en/) – an organisation that is providing a learning platform for refugees and underserved communities in the Middle East.
The project was to put a spotlight on refugees and immigrants and was linked to the virtual refugee conference called Amplify Now (https://virtualrefugeeconference.com/). Submitted projects went into the running to be featured at the conference itself.
Kubernetes is a great platform to run microservices, there is no question about it. It has great features like Horizontal Pod Autoscaler and Cluster Autoscaler that make it very easy to scale whole applications depending on current or forecasted load. However with auto-scaling there are a few considerations that we need to keep in mind and one of the most important ones is that containers are ephemeral, which implies that we need to design our applications in such a way that they can scale, without compromising data persistency. There are multiple techniques available to make this possible. A common way to achieve this, is by using Persistent Volumes (PV) and Persistent Volumes Claims (PVC), that hook via the CSI (Container Storage Interface) into external disk volumes. This helps maintain state outside containers, allowing them to scale without compromising the data.
Also, with the constant embrace of Cloud providers to kubernetes, these solutions are quickly also evolving and becoming more sophisticated and easier to use. For example, now days we can extend the use of PVC with Storage Classes, implemented by the different Cloud vendors. This make the whole PV/PVC experience so enjoyable, as these storage classes become responsible to interface into the Cloud vendor IaaS land and create resources that we simply declared, while we keep reading and writing data in persistent disks.
Now, with this constant multi-cloud endorsement with kubernetes, it was a matter of time, until Cloud vendors decided to differentiate themselves by allowing the use of foreign cloud services, as first-class citizens in kubernetes. Just imagine, having the ability to use a PaaS service from “Cloud Vendor A”, seamlessly from within my kubernetes cluster that is running on “Cloud Vendor B”. The piece of magic that makes this possible is called, Open Service Broker (OSB), which is really not magic, but just a bunch of APIs that allow the control plane in kubernetes to interact with Cloud services.
In this blog, I am going to show you how to consume Oracle Cloud Infrastructure (OCI) resources from within kubernetes using the Open Service Broker. Specifically, I am going to let my kubernetes control plane to fully manage an OCI Autonomous Transaction Processing DB (ATP), as if it was a native kubernetes resource… And by the way, I am going to use OKE (Oracle managed Kubernetes), but you could very well use Google/AWS/Azure Kubernetes elsewhere and still consume OCI resources. How cool is that?
In a recent blog, I explained how to approve in Kubernetes external certificate signing requests from end users. This way, users can then simply use their private keys to authenticate into Kubernetes API server. Further to this, Role Based Access Control (RBAC) can be put in place to authorise access to resources in kubernetes clusters. This is amazing and provides some level of governance, however there is a caveat, since kubernetes does not hold neither users nor groups, the identities must exist outside the cluster somewhere else. If we create external CSRs with non-existent users and groups, soon it will become very hard to properly manage all the identities, especially if we have to maintain multiple users accessing the cluster. This is yet another area that gets highly simplified when Cloud vendors embrace kubernetes as first class citizens.
In this blog, I am going to show you how to create and manage your identities in OCI IAM and simply, using such identities to access Oracle Container Engine for Kubernetes (OKE) clusters and authorise access to resources.
In a nutshell, this is what I am going to do:
Create a new user/group in OCI IAM
Configure an OCI policy to grant access to my user’s group to access the OKE clusters
Create Roles and Role Bindings (RBAC) in OKE to authorise our user to access OKE resources
Download a kubeconfig set for my new user using token validation
Kubernetes has been proven the best way that we have today to run microservices deployments, whether it is via a Serverless approach or by managing your own deployments in the cluster. This has solidified with the strong adoption of Kubernetes by all the major Cloud Vendors, as the strategic way to orchestrate containers and run serverless functions.
However, one of the situations that we need to be mindful, is that kubernetes creates by default a super powerful user that has full access to almost every resource in the cluster (accessible via kubectl or directly though APIs). This is very convenient for most dev & test scenarios, but it is imperative that for production workloads, we limit such power and use Role Base Access Control (RBAC), stable since version 1.8, for fine-grained authorisation access control to kubernetes cluster resources.
For the purpose of this demo, I am assuming some familiarity with Kubernetes and kubectl. I will mainly focus on the Authentication and Authorisation aspects that allow us to use Client certificates to get access to protected resources in a Kubernetes cluster.
In a nutshell this is what I am going to do:
Create and use Client certificates to authenticate into a Kubernetes cluster
Create a Role Base Access Control to fine grain authorise resources in the Kubernetes cluster
Configure kubectl with the new security context, to properly limit access to resources in the Kubernetes cluster.
Oracle recently introduced a Web Application Firewall (WAF) to further enhance and secure Oracle Cloud Infrastructure offerings. The Oracle Cloud Infrastructure WAF is based on Oracle Zenedge and Oracle Dyn technologies. It inspects all traffic destined to your web application origin and identifies and blocks all malicious traffic. The WAF offers the following tools, which can be used on any website, regardless of where it is being hosted:
Over 250 robust protection rules that include the OWASP rulesets to protect against SQL injection, cross-site scripting, HTML injection, and more
In this post, I configure a set of access control WAF policies to a website. Access control defines explicit actions for requests that meet conditions based on URI, request headers, client IP address, or countries and regions.