Group items tagged

Serverless can also mean applications where some amount of server-side logic is still written by the application developer but unlike traditional architectures is run in stateless compute containers that are event-triggered, ephemeral (may only last for one invocation), and fully managed by a 3rd party.

‘Functions as a service

AWS Lambda is one of the most popular implementations of FaaS at present,

A good example is Auth0 - they started initially with BaaS ‘Authentication as a Service’, but with Auth0 Webtask they are entering the FaaS space.

a typical ecommerce app

a backend data-processing service

with zero administration.

FaaS offerings do not require coding to a specific framework or library.

Horizontal scaling is completely automatic, elastic, and managed by the provider

Functions in FaaS are triggered by event types defined by the provider.

from a deployment-unit point of view FaaS functions are stateless.

allowed the client direct access to a subset of our database

deleted the authentication logic in the original application and have replaced it with a third party BaaS service

The client is in fact well on its way to becoming a Single Page Application.

implement a FaaS function that responds to http requests via an API Gateway

port the search code from the Pet Store server to the Pet Store Search function

replaced a long lived consumer application with a FaaS function that runs within the event driven context

server applications - is a key difference when comparing with other modern architectural trends like containers and PaaS

the only code that needs to change when moving to FaaS is the ‘main method / startup’ code, in that it is deleted, and likely the specific code that is the top-level message handler (the ‘message listener interface’ implementation), but this might only be a change in method signature

With FaaS you need to write the function ahead of time to assume parallelism

Most providers also allow functions to be triggered as a response to inbound http requests, typically in some kind of API gateway

you should assume that for any given invocation of a function none of the in-process or host state that you create will be available to any subsequent invocation.

FaaS functions are either naturally stateless

certain classes of long lived task are not suited to FaaS functions without re-architecture

if you were writing a low-latency trading application you probably wouldn’t want to use FaaS systems at this time

An API Gateway is an HTTP server where routes / endpoints are defined in configuration and each route is associated with a FaaS function.

API Gateway will allow mapping from http request parameters to inputs arguments for the FaaS function

API Gateways may also perform authentication, input validation, response code mapping, etc.

the Serverless Framework makes working with API Gateway + Lambda significantly easier than using the first principles provided by AWS.

Apex - a project to ‘Build, deploy, and manage AWS Lambda functions with ease.'

'Serverless' to mean the union of a couple of other ideas - 'Backend as a Service' and 'Functions as a Service'.

set it explicitly with the :strategy_class option

explicitly tell OmniAuth where to locate your ca_certificates file

make your model (e.g. app/models/user.rb) omniauthable

devise_for :users was already added to your config/routes.rb

user_omniauth_authorize_path(provider) user_omniauth_callback_path(provider)

devise does not create *_url methods

The symbol passed to the user_omniauth_authorize_path method matches the symbol of the provider passed to Devise's config block

After inserting their credentials, they will be redirected back to your application's callback method

tell Devise in which controller we will implement Omniauth callbacks

find_for_facebook_oauth

implement the method below in your model

All information retrieved from Facebook by OmniAuth is available as a hash at request.env["omniauth.auth"]

Devise removes all the data starting with "devise." from the session whenever a user signs in, so we get automatic session clean up

We pass the :event => :authentication to the sign_in_and_redirect method to force all authentication callbacks to be called

tries to find an existing user by provider and uid or create one with a random password otherwise.

Devise's RegistrationsController by default calls "User.new_with_session" before building a resource

if we need to copy data from session whenever a user is initialized before sign up, we just need to implement new_with_session in our model

Docker under the hood creates IPTable rules so containers can't reach other containers unless you'd want to

Træfik can listen to Docker events and reconfigure its own internal configuration when containers are created (or shut down).

Enable the Docker provider and listen for container events on the Docker unix socket we've mounted earlier.

Enable automatic request and configuration of SSL certificates using Let's Encrypt. These certificates will be stored in the acme.json file, which you can back-up yourself and store off-premises.

there isn't a single container that has any published ports to the host -- everything is routed through Docker networks.

Thanks to Docker labels, we can tell Træfik how to create its internal routing configuration.

container labels and service labels

With the traefik.enable label, we tell Træfik to include this container in its internal configuration.

Service labels allow managing many routes for the same container.

When both container labels and service labels are defined, container labels are just used as default values for missing service labels but no frontend/backend are going to be defined only with these labels.

Always specify the correct port where the container expects HTTP traffic using traefik.port label.

With the traefik.frontend.auth.basic label, it's possible for Træfik to provide a HTTP basic-auth challenge for the endpoints you provide the label for.

pulling from git is slow.

Support for containers has existed in the Linux kernel since version 2.6.24 when cgroup support was added

All of the logic that used to live in your cookbooks/playbooks/manifests/etc now lives in a Dockerfile that resides directly in the repository for the application it is designed to build

All of the dependencies of the application are bundled with the container which means no need to build on the fly on every server during deployment.

Containers bring standardization which allows for systems like centralized logging, monitoring, and metrics to easily snap into place no matter what is running in the container.

Dockerfiles do not give you the same level of control over configuration as your application transitions between environments, like dev, staging, and production.

configuration management systems now have hooks for docker integration.

Config management will only be used to install Docker, an orchestration system, configure PAM/SSH auth, and tune OS sysctl values.

You can access the service on port 443 of any swarm node. Docker sends the requests to the node which is running the service.

--publish published=443,target=443

The most important aspect is that a load balanced cluster of registries must share the same resources

S3 or Azure, they should be accessing the same resource and share an identical configuration.

you must make sure you are properly sending the X-Forwarded-Proto, X-Forwarded-For, and Host headers to their “client-side” values. Failure to do so usually makes the registry issue redirects to internal hostnames or downgrading from https to http.

A properly secured registry should return 401 when the “/v2/” endpoint is hit without credentials

registries should always implement access restrictions.

REGISTRY_AUTH=htpasswd

REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd

The registry also supports delegated authentication which redirects users to a specific trusted token server. This approach is more complicated to set up, and only makes sense if you need to fully configure ACLs and need more control over the registry’s integration into your global authorization and authentication systems.

If your image is available on a private registry which requires login, use the --with-registry-auth flag

When you update a service, Docker stops its containers and restarts them with the new configuration.

When updating an existing service, the flag is --publish-add. There is also a --publish-rm flag to remove a port that was previously published.

To update the command an existing service runs, you can use the --args flag.

force the service to use a specific version of the image

When you run service update with the --image flag, the swarm manager queries Docker Hub or your private Docker registry for the digest the tag currently points to and updates the service tasks to use that digest.

You can publish a service task’s port directly on the swarm node where that service is running.

You can rely on the routing mesh. When you publish a service port, the swarm makes the service accessible at the target port on every node, regardless of whether there is a task for the service running on that node or not.

To publish a service’s ports externally to the swarm, use the --publish <PUBLISHED-PORT>:<SERVICE-PORT> flag.

Users: cn=users,cn=accounts,$SUFFIX Groups: cn=groups,cn=accounts,$SUFFIX

The reason to use an account like this rather than creating a normal user account in IPA and using that is that the system account exists only for binding to LDAP. It is not a real POSIX user, can't log into any systems and doesn't own any files.

This use also has no special rights and is unable to write any data in the IPA LDAP server, only read.

When possible, configure your LDAP client to communicate over SSL/TLS.

/etc/openldap/ldap.conf

Copy the keyfile to each server hosting the replica set members.

the user running the mongod instances is the owner of the file and can access the keyfile.

For each member in the replica set, start the mongod with either the security.keyFile configuration file setting or the --keyFile command-line option.

You can use role-based access control (RBAC) and other security mechanisms to make sure that users and workloads can get access to the resources they need, while keeping workloads, and the cluster itself, secure. You can set limits on the resources that users and workloads can access by managing policies and container resources.

you need to plan how to scale to relieve increased pressure from more requests to the control plane and worker nodes or scale down to reduce unused resources.

Managed control plane: Let the provider manage the scale and availability of the cluster's control plane, as well as handle patches and upgrades.

The simplest Kubernetes cluster has the entire control plane and worker node services running on the same machine.

You can deploy a control plane using tools such as kubeadm, kops, and kubespray.

Secure communications between control plane services are implemented using certificates.

Separate and backup etcd service: The etcd services can either run on the same machines as other control plane services or run on separate machines

Create multiple control plane systems: For high availability, the control plane should not be limited to a single machine

Some deployment tools set up Raft consensus algorithm to do leader election of Kubernetes services. If the primary goes away, another service elects itself and take over.

Groups of zones are referred to as regions.

if you installed with kubeadm, there are instructions to help you with Certificate Management and Upgrading kubeadm clusters.

Production-quality workloads need to be resilient and anything they rely on needs to be resilient (such as CoreDNS).

Add nodes to the cluster: If you are managing your own cluster you can add nodes by setting up your own machines and either adding them manually or having them register themselves to the cluster’s apiserver.

Set up node health checks: For important workloads, you want to make sure that the nodes and pods running on those nodes are healthy.

Authentication: The apiserver can authenticate users using client certificates, bearer tokens, an authenticating proxy, or HTTP basic auth.

Authorization: When you set out to authorize your regular users, you will probably choose between RBAC and ABAC authorization.

Role-based access control (RBAC): Lets you assign access to your cluster by allowing specific sets of permissions to authenticated users. Permissions can be assigned for a specific namespace (Role) or across the entire cluster (ClusterRole).

Attribute-based access control (ABAC): Lets you create policies based on resource attributes in the cluster and will allow or deny access based on those attributes.

Set limits on workload resources

Set namespace limits: Set per-namespace quotas on things like memory and CPU

Prepare for DNS demand: If you expect workloads to massively scale up, your DNS service must be ready to scale up as well.