How to deploy the infrastructure for Pivotal CF, or Puff Pie Recipe in pictures

A year ago, the task came to the center of competence in IT management and monitoring systems: deploy the Pivotal Cloud Foundry product (which is, in fact, the reference model of the PaaS model). In a nutshell, Pivotal Cloud Foundry (PCF) is a complete commercial solution for businesses that:

• need a platform running in a hybrid or multi-cloud environment;
• want to move from using monolithic architectures to cloud schemes;
• want to launch next-generation digital services from day one;
• are already using Java or Spring to deploy microservices.

In this article, I do not seek to advertise a vendor product or once again “explain for microservices.” My main goal is to share the experience of deploying the infrastructure for the cloud PCF platform in a non-standard configuration of this kind of solution. This configuration came during the task of creating an environment for project developers, who, without false modesty, were called “Digital Transformation”.

Pivotal just “cook”

From the "business" was set a global task: to build products using microservice architecture. VMware virtual infrastructure was chosen as IaaS; as PaaS, the Pivotal Cloud Foundry platform.

The choice of PCF was supported by the possibility of providing users (in a sense, developers) with a ready-made set of various programming environments, databases and services for creating applications of any scale without being tied to a specific hypervisor. This flexibility allowed us to concentrate on building the business logic of applications and minimally refer to low-level IaaS-level functions.

A bit of history

VMware, the largest developer of virtualization software, was one of the founders of the open source Cloud Foundry hybrid cloud platform under the Apache 2.0 license, which is being developed to improve the quality of continuous integration processes and continuous delivery (CI / CD) software. In 2014, the Cloud Foundry Foundation (CFF) non-profit foundation was created under the auspices of the non-profit organization Linux Foundation, which allowed us to create a neutral platform for joint development, management and promotion of the project. In 2015, the CFF community decided to certify systems based on the Cloud Foundry open source project. The certification program was designed to ensure the portability of PaaS solutions between various cloud services and systems hosted on enterprise sites (on-premise). Currently, CFF includes more than sixty organizations that are leaders in the global telecommunications and engineering systems market: Cisco, Dell EMC, Hewlett Packard Enterprise, IBM, Pivotal, SAP, VMware, Intel, and many others.

Pivotal Software, Inc. (Pivotal) - Separated from 2013, a division of EMC Corporation and VMware - has combined a wide range of innovative developments to create the Pivotal Cloud Foundry product (based on open source code), which includes the usual configuration, management and monitoring applications, turnkey .

The most important "ingredient"

The cornerstone of the Cloud Foundry philosophy is the term “microservice architecture” (microservice architecture).

A microservice architecture is a way of representing a single application as a set of small services, each of which runs in its own process and communicates with the others using lightweight mechanisms (usually HTTP). This term is easiest to illustrate with a comparison with a “monolith” (monolithic architecture) - an application built as a whole.

Traditional monolithic architecture is not suitable for a modern cloud: modules within a monolith cannot be scaled separately, and a change in the logic of one tends to influence the code of others. In the microservice architecture, on the contrary, the modules can be written in different programming languages, quickly deployed and easily scaled, which together increases the availability factor of the application.

As part of the development of the microservice Cloud Foundry architecture, two main areas can be distinguished:

• The core of the cloud is BOSH , an open source toolkit for deploying and managing distributed systems that supports a variety of platforms: AWS, Azure, OpenStack, vSphere, vCloud, and the Google Compute Platform.
• A number of systems are responsible for the correct execution of the runtime (runtime) of the applications: life cycle management (Cloud Controller), performance management (Diego), user authentication and authorization (UAA), messaging (NATS), technical condition and health monitoring (Health Manager ) and etc.

Despite the fact that the list of microservices included in the release of the Cloud Foundry platform is huge, this release lays the minimum foundation necessary for deploying and running so-called “container” applications (application containers) in the cloud.

Container applications are the next isolation level at which an application contains all the components it needs and works regardless of the operating system. Container application virtualization provides better performance, scalability, density, dynamic resource management, and ease of administration compared to alternative solutions.

At this introductory microservice ends, and I proceed to the most interesting - the description of the infrastructure.

For the "preparation" we need ...

After analyzing the system requirements of the PCF platform for the VMware cluster, a number of prerequisites were formed:

• Required read / write permissions for the datacenter level as per vSphere Inventory Hierarchy ;
• Access to vCenter over HTTPS is required;
• Access to ESXi via TCP is required to ports: 443, 902, 903;
• When you enable the vSphere DRS (Distributed Resource Scheduler) option, the automation level must be set to Partially automated or Fully automated.

Already on the basis of these requirements, it became obvious that to deploy PCF, it was necessary to have an isolated vCenter and, as a result, isolated ESXi hosts. To implement such a segment (read, save on hardware), I had the idea to use the concept of nested virtualization.

No sooner said than done! To execute this, to put it mildly, nontraditional IaaS model, I needed a piece of our public cloud, Technoserv Cloud , which is implemented in two virtualization environments: VMware and OpenStack. The vCloud Director product serves as the control panel for the VMware environment.

Immediately make a reservation: in practice, such solutions do not go to Prod, but as a Test or Dev stand will fit. Further in the text I will try to talk about the architecture, key features and advantages of the installation (or disadvantages, how it goes).

The same "layer cake"

So, a virtual data center (VDC) TS-CloudDev with the following characteristics was created in the TS-Cloud cloud:

• Memory Quota: 750 GB
• vCPU speed: 2.60 GHz
• Quota CPU: 314.60 GHz
• Disk Quota: 3474 GB
• VM Quota: 100
• Network Quota: 10

For the target cluster, using Edge Gateway, 4 internal subnets are created:

1. 10.0.10.0/24 - as management of a network of Nested ESXi hosts.
2. 10.0.11.0/24 - as a vMotion network for migrating virtual machines deployed on Nested ESXi hosts.
3. 192.168.63.192/26 - as a network for integration with the internal network.
4. 10.10.0.0/16 - as a PCF deployment network.

Subnet 10.0.150.0/24 is external to the VDC.

It is worth noting that the presence of the Edge Gateway component is one of the key advantages of using the vCloud environment. This is a virtual VDC-network router that can be configured to provide network services: DHCP, NAT, firewall, static routing, VPN and load balancing.

As for the hardware configuration, in addition to 4 identical ESXi hosts and 1 vCenter server, another virtual machine was created, acting as an iSCSI initiator to provide storage.

View from below:

Type "ex machina":

View from above":

... And a week later the place on the first hundred ended, therefore the second storage was operatively connected.

Hostess note

During the deployment process, I inevitably ran into constraints that need to be taken into account when preparing the infrastructure:

• Edge Gateway Virtual Router can support up to 10 interfaces (see above Network Quota). The interface can be classified as an uplink when connected to an external network and as an internal interface when connected to a VDC network. When creating an Edge Gateway, you must specify at least one uplink. The internal interface is added automatically when creating a routed VDC network.

• The total size of the storage allocated for the VDC is considered regardless of the selected model (Allocation Model) according to the formula :

  
  

  Allocated to virtual machines + Total Memory Allocated to virtual machines + Memory Storage used to

  Thus, the total amount of storage includes memory allocated to virtual machines. In our configuration, 750 GB of RAM is allocated, 2 GB as internal storage for each ESXi, 100 GB as internal storage for vCenter, 16 GB as internal storage for storage1 virtual machine. That is, a total of 750 + 2 * 4 + 100 + 16 + 2600 = 3474 GB will be allocated for VDC (see above Disk Quota).

  
  
• There is a need to enable Promiscuous Mode outside the VDC. This is a mandatory VMware nesting requirement, which is explained as follows:
  Both VSS (vSphere Standard Switch) and VDS (vSphere Distributed Switch) do not implement MAC Learning, unlike traditional network switches, because the vSphere platform already knows which MAC addresses are assigned to a particular virtual machine. This means that the virtual switch will forward network packets to the virtual machine only if the destination MAC address matches the ESXi vmnic MAC address (pNIC). In a nested virtualization environment, the destination MAC address of network packets destined for these virtual machines will be different from the Nested ESXi vmnic MAC address. Because of this, the virtual switch of the physical ESXi server drops the packet if Promiscuous mode is not enabled.
• File storage (originally used by NFS) does not provide the disk subsystem performance required for normal operation of the platform; block storage is recommended (that's where iSCSI came from).

Conclusion

In conclusion, I would like to note that the use of nested virtualization for Dev booth turned out to be one of the main advantages, since it allowed at the same time:

• create an ecosystem with isolated data streams;
• do not violate the integrity of the infrastructure;
• save developers from scaling problems;
• provide full control over the child's virtual environment.