• Basalt at Red Hat Summit 2017

    7 Juni 2017
  • boston-2

    Basalt at Red Hat Summit 2017

    This years Red Hat Summit was in Boston, Massachusetts and Basalt was there to check the pulse on one of the largest companies in the Linux ecosystem. It was a three day conference with an overall good mix of keynotes, labs and sessions, all housed inside the Boston Convention and Exhibition Center.

    As in previous years, this year’s summit had a theme. Theme of the year: The Individual. Red Hat wanted to shine some light on the otherwise pretty anonymous system administrator that keeps the lights on and drives the organization’s IT system into the modern world. However, other than the keynotes and the stronger focus on this years Red Hat Professional of the Year, the theme did not have any obvious effect on the content of the sessions or labs.

    Might as well, since we’re not going all the way to Boston just for some nice theme, we wanted technology. And boy did we get it.

    Red Hat’s Portfolio
    One of the first keynotes summarized the various product offerings from Red Hat and put them into relation to each other and the IT system as a whole. A few products stood out more than the other for our company.

    Red Hat Atomic Host
    Link: https://www.redhat.com/en/resources/red-hat-enterprise-linux-atomic-host

    Similarly to how Red Hat Enterprise Virtualization is a scaled down version of Red Hat Enterprise Linux with just enough services to run virtual machines, Red Hat Atomic Host contains just enough software to run containers. This not only minimizes the attack surface but makes the life cycle management of the product a whole lot easier. This is definitely something that we are looking into and evaluating here at Basalt HQ.

    One new feature Red Hat is working on here is the ability to [upgrade OSTree without the need for a reboot].

    Red Hat Satellite
    Link: https://www.redhat.com/en/technologies/management/satellite

    Satellite is Red Hat’s product for managing multiple servers, both physical and virtual. While version 5 was based on SpaceWalk, Satellite 6 has instead moved to Foreman as its upstream project.

    Foreman currently does not support installing Windows over PXE. There is work going on to realize this but since the feature is not highly requested it may take 1-2 years before it’s complete.

    As we currently have a mixed physical environment this means that Foreman and Satellite it not an option for us today, but we are keeping an eye on this one as it has a wide array of features that would make life cycle management of our physical infrastructure a whole lot easier, especially in larger deployments.

    Red Hat Insights
    Link: https://www.redhat.com/en/technologies/management/insights

    Another offering that is relatively new is Red Hat Insights. It is a hosted service that evaluates your servers from a security and performance standpoint, giving you a list of vulnerabilities that exists on your system. One of the benefits over other vulnerability scanners is that Red Hat Insights will produce fewer false positives as it knows if there is a downstream patch that has closed the vulnerability even though the same version is vulnerable in the upstream project.

    Another neat feature of Insights is that you can generate an Ansible Playbook for automatically mitigate all your affected servers, either by running the playbook manually against your hosts, or by sending it to Ansible Tower where it will be automatically applied to the servers in the next run.

    The hosted nature of Insights might scare some people off. But the data that is sent can be fully inspected, even processed and obfuscated if required, and if you have Satellite it can be used as a proxy for sending data to Red Hat.

    Insights is thus an interesting offer and we might look into making sure we support it for customers with an Internet connected system and whom are OK with sending data to Red Hat.

    Red Hat OpenStack
    Link: https://www.redhat.com/en/technologies/linux-platforms/openstack-platform

    One of the very first distributions of OpenStack was from Red Hat. However, when we at Basalt evaluated the distributions we settled on [Kolla] as it, in contrast to RDO which is the upstream project for Red Hat OpenStack, uses containers instead of virtual machines for deployment. This makes management, upgrades and scaling much easier than the traditional deployment strategies, and it is also a boost to security as we can further lock down the phyiscal servers.

    Red Hat is not sitting idle, though. They have noticed that containerized deployments of OpenStack is all the rage right now and they are planning on moving RDO into the same direction. In fact, they are going to use the container images from the Kolla project for this move, which is planned to be effective in OpenStack version 14.

    Just another example that we at Basalt know good technology when we see it.

    We are definiately intestering in how this develops and see what Red Hat brings to the Kolla table.

    Red Hat OpenShift
    Red Hat: https://www.openshift.com/

    One of Red Hats biggest product aside from RHEL is their Platform-as-a-Service called OpenShift. At the summit they announched the new [OpenShift.io] service which wraps OpenShift Online in a whole development environment such as planning, testing and CI/CD.

    While we are not a development shop we are in the business for building great platforms and for customers looking for a PaaS on premises Red Hat OpenShift is at least something to look into. Especially since our Delivery Pipeline features GitLab which has great support for OpenShift.

    Ansible
    Link: https://www.redhat.com/en/technologies/management/ansible

    While Red Hat has previously been using Puppet a lot for orchestration it seems that they are shifting more and more focus toward Ansible and most of their new offering talks only about Ansible support, while Puppet is only mentioned in products such as Satellite where it has been used since before the acquisition of Ansible.

    Our gut feeling is that Red Hat will continue to focus on Ansible and our experience with it is so far really great. At least on Linux, it still feels a bit lacking on the Windows platform.

    We also miss some of the great testing support that we have have grown used to with Chef. If that pience of the puzzle is solved we might look into expanding our use of Ansible even more.

    Observed market trends
    When attending the summit we noticed a few trends that seem to be running through the market right now.

    Containers
    First of all is the focus on containers and microservices. As more and more companies move toward microservices they are looking for better life cycle management and that’s where solutions such as Kubernetes comes in. There is also great interest in OpenShift which is built upon Kubernetes and thus has microervices built right into its core. We belive this trend will only continue and with Microsoft also moving in this direction it is worth not only keeping an eye on but get involved with.

    As a consequence of the growth of use of containers, actors are starting to call for the standardization of the technology to ensure it is independent of any single vendor. It seems that Red Hat is taking a leading role in this movement, trying to remove some of the control that Docker Inc currently has over the container market, with the [Open Container Initiative]. The OCI project has defined standards for tasks such as:
    – Pulling and pushing images to/from a registry
    – Running a container image
    – Building a container image
    – Orchestrating containers

    How Docker will respond to this is so far uncertain. They have for example decided to use the reference implementation of the container runtime (runc) in their own products, but we are hard pressed to believe that they will welcome the initative with open arms. But please, prove us wrong, Docker.

    Red Hat is continuing to focus on Atomic Host and will move more and more of the operating system into containers. After launching OCI they managed to create what is called *system container* which is a new class of containers that are read only and managed by systemd for priorization. The goals is to move every service except systemd into a container, even docker! Eventually most software from Red Hat may come as both RPM and a container image.

    Security
    Another trend is the ever increasing focus on security. Red Hat continues to talk about security as something embedded into all their products, from bare metal to the user consuming the service. Some interesting things Red Hat is currently working on is:
    – Improve continuous compliance with multiple standards using tools such as
    *Atomic Scan*.
    – Adding support for memory encryption using [Intel SGX]
    – Make it easier to patch systems with built in Ansible support in Insights
    – Support TPM 2.0 and vTPM
    – Digitally signed container images
    – [Network Bound Disk Encryption]

    Planning is dead
    Jim Whitehurst, the CEO of Red Hat, had a big slide on his keynote with the words *”Planning is dead”*. The reason for this bold statement is that in the modern world technology is moving so fast that it is impossible to do planning like we are used to. The only certainty you have is that you will be wrong.

    So instead of focusing on where you will be at a given time in the future it is better to focus on where you are now and what direction you are heading. Then keep yourself open to abruptly change direction whenever the world changes around you.

    This means that instead of churning out polished and detailed plans, an organization must focus on being able to change, and do so quickly. The challenge is not to predict an unpredictable world (you can’t) but to be able to change quickly enough to stay ahead.

    [OpenShift.io]: https://openshift.io/
    [Kolla]: https://wiki.openstack.org/wiki/Kolla
    [Open Container Initiative]: https://www.opencontainers.org/
    [Network Bound Disk Encryption]: http://www.freeipa.org/page/Network_Bound_Disk_Encryption
    [Intel SGX]: https://en.wikipedia.org/wiki/Software_Guard_Extensions
    [upgrade OSTree without the need for a reboot]: https://github.com/projectatomic/rpm-ostree/issues/639