Monday 22 February 2016

Promoting the safe use of open source software

No company still downloads OSS from the internet and uses it in production with no checks, do they? No one would ever download pre-built OSS and use it. Would they?

Of course, you download the source code (so it can be scanned for vulnerabilities) and build it yourself so it's open and transparent what version of what software you are using. Not doing this opens your company up to a potential security nightmare.

Imagine, after a production outage, tracing the culprit to the unchecked use of OSS. Perhaps the OSS binary is not what you thought it was and/or it has a virus built into it. You don't know unless you build it yourself from source.

The use of OSS is growing year on year. The IDC says that OSS is 30% or more of the code at major Global 2000 organizations. But, surprisingly, the use of OSS is frequently uncontolled and unregulated. Do you know what OSS your company is using? Is it controlled?

Typically, even if the binaries are built from source, we don't really know which applications in which environments are using what. Something that is frequently neglected is the tracking of software installed on each server which can be used to quickly assess impact when vulnerable OSS is disclosed.

With Vamos Deploy all dependancies are transparent and visible. When a library is reported as being vulnerable you can assess your exposure by asking Vamos Deploy which applications use it and which servers this OSS is installed in. This is irrespective of OS type (Linux, Windows) or the language used (Java, C++, Python etc).

Vamos Deploy encourages the regulated, safe use of OSS. As the saying goes, "Lets be careful out there!"

Friday 12 February 2016

The down-to-Earth view of application deployment


View of the Earth from the International Space Station. Thanks to Nasa.

One area that I have been concentrating on for a while now is the automated delivery of software that actually works. This has recently become a hot topic with Continuous Integration and Continuous Delivery being discussed. The DevOps banner is being used for wider discussions which include the breaking down of barriers between teams to increase co-operation. This is all good stuff and a step in the right direction in an area which has long been neglected. Companies are now starting to invest in how they deliver their software. But they may just be saving up problems for the future.

Configuration management and release orchestration

The new technologies (Ansible, Chef, Puppet) in this space have the ability to drastically reduce the amount of time it takes to deliver a 'working' host. Many a time I've witnessed a host ping-ponging between Sys Admins and Dev teams before it's fit for use. The Dev teams don't specify exactly what they need and the System Admins don't automate it for future use. With DevOps we break this cycle and bring the efficiencies of automation to OS builds.

But these technologies leave fundamental gaps in the delivery of application software. Let's think this through a bit :

I have an application called Saturn that:

  • comprises of 10 different processes that each serve a different purpose;
  • each process has a different binary package;
  • uses Java 1.6 and has a list of dependant libraries;
  • is not resource intensive so its processes can co-habitate with other applications on a host and;
  • has configuration that needs to differ between environments.

We don't have the luxury of a dedicated host so Saturn shares hosts with other applications. In fact, in Dev and UAT we have multiple instances of Saturn running and even many different versions of Saturn running on the same host. If we are to share it's essential for the application to be a good neighbour so it doesn't have to be isolated. But without the right tools, sharing of resources can cause conflicts. Here is why:

There is another team that are building Pluto and they are using Java 1.8. This is one of the applications that share hosts with Saturn. Instantly we see a conflict in the version of Java used. We could hardcode the Java version we use but that reduces our application portability.

We then discover that Saturn and Pluto use different versions of the same Java libraries. How do we cope with that? We could embed these libraries in our application but that seems rather clumsy, encourages duplication and reduces visibility of usage. This is a wider problem than just Java. There are two other teams that own Jupiter and Mars which are written in Python. They have very similar problems with the use of conflicting versions of Python and Python libraries. These problems stem from the reliance on the underlying OS build to fulfill runtime dependancies.

When resource sharing we need a tool that prevents dependancy conflicts.

There are similar conflicts when we look at the application binaries. We are making our lives unneccessarily difficult if we don't have tooling that provides functionality to:

  • easily manage multiple versions of the application software on a single host;
  • select/update binary versions used in each environment;
  • give transparancy and visibility of environment and configuration settings and;
  • automate the removal of unused software for effective disk management.

Storing your application binaries and libraries in a repository makes perfect sense. Yum is frequently used to hold RPMs that are built containing the application software. But this is for RedHat-based Linux distros; what about Debian-based distros and of course Windows and OS X? This is highly restrictive! We need a repository that can store software for all flavours of OS.

We need our repository to have functionality to:

  • be OS and packaging standard independant
  • distinguish between production and non-production packages
  • retain meta data about each package:
      • when was it created and by whom
      • what level of testing it has had
      • which environments its used in
      • which hosts it exists on
  • be immutable so you know it's not been tampered with
  • restrict who can add or remove packages

Configuration management tools can make a big difference in release orchestration. Releases often comprise of many steps that need to be performed in a certain order over a number of different hosts. Software deployment is usually an essential part but there are frequently many other steps involved (ie process stop/start, database updates, batch scheduler changes etc).

There is however the temptation to mix up what is being released with how it is being released. The release runbook (sometimes called recipe or playbook) should contain all the steps involved and their dependancies. If, in the runbook, we start to include what is actually changing (ie versions of packages to install or remove) then it would need modifying for each release performed and needs to be tested, just like code. To lessen the testing burden it seems logical to separate what is being released from how it gets released. But what tools do we need to do this?

Using a configuration manager to quickly set the standard OS build and to orchestrate a release saves a lot of time and money and gives welcome consistency. But if your application is part of a larger business where resources are shared and is going to be changing frequently, a configuration manager has fundamental gaps. We need something more.

Logical or pseudo containers

Vamos Deploy has the functionality to encapsulate the components of an application with all its dependancies, libraries, binaries and configuration files so they can be deployed as one to any number of local Vamos repositories irrespective of the underlying OS. We call this grouping a Vamos Grid.

Deploying your applications via Vamos Deploy:

  • frees you from relying on software that is installed as part of the underlying OS. This saves you from the conflicts that causes;
  • enables multiple instances of the same application can be running on the same kernel that can be independantly re-configured or updated;
  • enables many instances of different applications to happily and easily co-exist on the same host with different configurations;
  • enables applications to be promoted once they pass different stages of testing. This test-promote lifecycle keeps non-production quality code well away from the production domain;
  • brings the benefit of a full application lifecycle. The detection and removal, from local repositories, of application packages that are no longer used is running from day 1;
  • allows you to update your development environment with exact copies of software used in production in a single command. You can even look back at a fixed point in time and replicate how production looked;
  • avoids duplication due to the Vamos Grids sharing the underlying application software and libraries in the local repositories.

Vamos Deploy's promise is to distribute all the software components and configuration to the local Vamos repository on each host or client that you have told it to. This can be initiated from a configuration management tool as part of release orchestration. Vamos Deploy is responsible for what is being released and the configuration manager is responsible for how it gets released.

With Vamos Deploy you don't need to learn YAML, Ruby or Python. There is a simple Vamos CLI, which can be called from any configuration manager or embedded in any self-service environment manager. There is no need for lengthy training sessions on cutting-edge technologies and radically changing your deployment methodology.

Vamos Deploy is a down-to-Earth tool that takes the headaches out of managing the lifecycle of an application and it's deployments.

If you think that this product could help you then let me know. Or, if you have questions, don't hestitate to ask.