Published on January 25, 2016

Author: Univention


4. What is omr goal? Allow to combine IT technologies in an easy manner Openness Freedomlof choice Competitionl& innovation Good solutions Clients can have control over their IT infrastructure at univemion SUFTWTIIT be open. BUILD SUCCESS

7. Common features of UCS II Management of (heterogenous) IT infrastructure II Single point of administration I) UCS on-premises & in the cloud & hybrid II UCS as member or replacement of existing Microsoft domain be open. BUILD success I! ‘ U"‘V§3,: I,9.t: if

8. I-Iow UCS helps lSVs and CSPS E: s z E 3 s -‘< E .3 .9 a E E E 9 :3. Cloud Service Provider Vice Software 59' Vendors , _ _: - . ' 11 , ,,. .‘3.‘§i‘. ‘.‘3,'—'-~_-5-— : - ucs _ ’~. '7. ‘ '1-_ I ‘ " ‘Ks 4"*l' ~' I ‘ - 4' =8-~~ ‘ y'_‘-' I Cloud Service ''‘“'a5””°“'' 9, Provider . .;. ... r.; .. : lllliil». ~illrliT#. -3»: U""""§‘_"‘. '|i“. i.'”

9. UCS as platform for 3rd party software I) think of UCS as Android for servers I) Management via App Center & simple installation I) Integration into existing (hybrid) IT infrastructure I) Integration into UCS web interface I) Ecosystem of different solutions I) Reporting tools for billing be open. BUILD SUCCESS *9 ““‘V§5‘, I,‘, ‘,’, I,‘

11. Current challenges ll Continuously growing number of UCS systems ll Continuously growing number of apps (currently ca. 70) ll App has full access to UCS system ll Possible conflicts in software dependencies + ports ll More apps —> increasing update complexity ll App needs to be supplied as Debian package ll Solution: Containerization (via Docker) univention summit be open. BUILD SUCCESS

14. Analogy to transport system ll Standardized containers ll Decoupling of transport & content boopon. BUl| .DSUCCESS wunivgpggp

15. Software container ll Standardization of software environment ii Correct execution can be assured ii Software developer is in charge of the inside i) Operator of infrastructure is in charge of the handling ii Linux kernel allows clean sandboxing: Control groups + namespaces + capabilities = containers ii Low overhead, container process runs natively in host kernel

16. Control Groups (cgroups) ii Group processes in a hierarchical manner ii Can limit usage of memory, CPU, network, disk I/ O ii Processes can be assigned to cgroups

18. capabilities I) Allow fine grained right control of the user root ii like setuid but much more detailed ii Can be set individually for different processes

20. Docker ii Offers tools for efficient usage of Linux kernel container technology (which already exists since 2.6.29) I) Abstracts many details (handling of network, namespaces, cgroups, mounting etc. ) I) Docker container starts as a single command I) Container is not booted (/ sbin/ init needs to be called manually) I) Software dependencies are stored on separate R0 images I) Containers can share images I) Only first layer is writable (copy-on-write) docker

21. r o Container life cycle Download from Commit repository Command execution Build process I Restart Container Import from I / Delete archive file Stopped state

26. How to L! pciate? )) Solution for existing Debian packaged UCS apps )) Run Debian update routines within container )) Migration logic contained in Debian maintainer scripts )) Works out of the box 2-) )) Container grows (and saturates) in size : -/ )) Solution for native containers )) Discard container and get a updated one )) Extensible migration logic to persist configuration + data via dedicated scripts (storedata, restoredata*) . .;. ... g;; .t ziriiimiriaiii. -35 U"""": ‘_"‘: |i“. i.'”

27. How to persist clata? II User data I) Via dedicated mount point / var/ lib/ univention-appcenter II Mount point exists on host + in container II Migration scripts can store data therein I) Configuration data I) Univention Config Registry (UCR) covers many aspects and can easily be migrated II Migrations scripts take UCR + join stati (among others) into account I) Additional logic via app specific migration scripts . .;. ... I;; .. : lIlllI*~. ‘1lll-Il"i5.-1‘ U--I-""; —3_j; f}. :.= ll

28. How to access Apps? II Container runs on host-only-network ( —» access from outside not possible I) App joins as member server into the domain I) Reverse proxy allows transparent web access I) Further ports can be configured to be re-routed I) Online configuration (of specified UCR variables) possible via Univention App Center interface I) Shortcut to execute commands within app container: univention-app shell <appid> <command> . .;. ... I;; .. : lIlllI*~. ‘1lll-ll"i5.-1‘ U--I-""; —3_j; f}. :.= ll

29. What else. .. ? II Ongoing research project together with the German Research Center for Artificial Intelligence (DFKI) II Theoretic considerations w. r.t. access/ information flow control II Integration of SELinux II UCS available as Docker container itself. ..

  • 33. Run a UCS container docker pull univention/ ucs-generic—amd64 docker run -d --name dockertestcontainer --hostname= dockertest -e domainname= testdomain. local -e nameserver1= -e rootpwd= univention -p 8015:80 univention/ ucs-generic-amd64 / sbin/ init docker exec -it dockertestcontainer / bin/ bash )) See also wiki. univention. com/ Docker )) Note: App Center pulls from docker. software-univention. de be open. BUILD SUCCESS at univention summit
  • 34. )) First containerized apps are in the pipeline. .. )) Support (native) containers (e. g., from Docker Hub) on UCS )) Publish UCS apps automatically at Docker Hub and at Amazon, Azure, Google )) in addition to downloadable images (KVM, VirtualBox, VMWare, Hyper-V) )) Support multiple containers per app )) Migrate existing apps into containers )) Further refine conventions for container apps )) Join in, take advantage of a versatile & open platform : -) , .;_, l,, .;. mu“ _‘-1|iH, ‘f; g1,§ UlIl! lvlE‘_‘1.'-: .t‘il. f.l”
