 Okay Microphone open Hello. Hello. Perfect. Fine So very warm welcome from us We are from T systems. My name is Bern Rieder-Lechner. I am the lead architect for cloud integration at T systems And I have Boris with me. Boris introduce yourself So my name is Boris Volkman I work as a senior multi-cloud architect Together with Bernd at global systems integration where we help our customers to on board the cloud platforms of T systems international Deutsche telecom and I've done a very interesting project over the summer where we migrated or even modernized a Public broadcast company in Germany Who's got a TV channel radio channels and a lot of things online and removed those things? To the cloud and from this we derived the show today Which is about continuous delivery to open telecom cloud and we are so proud to to present two things today We are so proud to present our our public cloud offering our German public cloud offering the open telecom Cloud on the one side and on the other side what you really can do with the things because what? What helps a platform where nothing runs on and This is exactly our mission Assist at systems integration To systems is very well known to have this house of clouds Where we have a lot and a bunch of things that you can have from us you can have from us VM We are things for a long time. We are already doing cloud integration cloud migrations for about ten years And we started with VM where things But mean mean why we have all these nice little things like sales force as software service We have Microsoft as a partner. We have Azure installations at our computers data centers in in beer and if you think of the the resistance house of clouds as the preferred holidays you want to go to Caribbean then you need something like a plane to get there and our goal is to be the plane to get there and Let's say the types of planes you can have Could be very different. There is a very very slow plane easy plane They just take the application and make it run in the same way as it did before on premise in the cloud This is something we've already done for ten years now And it's a very well-known thing how you can do it even for who landscapes and I will take address later What it means to to look at who landscapes and Then you can go up to the Concorde which means to build the whole new nice little cloud native microservice Hot applications on on OTC We know how to do each of these things and especially we know how to do these for whole landscapes and part of our mission is not to end Up with even more complicated environments at the end But doing the things in a way that the car the the customers really have benefit from it They should not end up with more complexity than they have before so this is the mission and The open telecom cloud as our core open stack product is becoming more and more The center of the strategy of systems. So even though we have all these other cloud offerings around the The view of the systems becomes more and more that you should go to this to this highly industrialized open stack With your main part of your your infrastructure and we have it in more private flavors And we have it in more public flavors, and we have it as a classical public cloud in the beginning but You can then take all these other things around we have in the systems to get to who picture We'll see later on what this means You will see this live later on but this is the main page the starting page of our open telecom cloud This is what where you end up if you log in at the first time and it shows perfectly well what the What the offering consists of You'll of course find all the classical things maybe not named neutron or Nova or whatever, but it's it's really what you expect from an open stack cloud You have compute you have networks you have volumes you have object storage Which is a nice one. It's an s3 object storage Compatible and even handled in the same way as it does on on easy to on Amazon web cloud What we also have is then some Infrastructure near platform service other call it you have load balancers You have domain name services. You have VPN connections in two flavors because we are Deutsche telecom You know how to make networks. We know how to connect the world So what we have is you can have on-demand IPsec VPNs to your to your on-premise landscapes if you want to on a click But what you can also have is fixed lines MPLS switch connections High speed if you want to and you can have click it here and the process of the provisioning starts What do you think Amazon offers something like this direct connect? They try to offer the same way, but of course they need partners for this and If you take it from us you get it from Deutsche telecom you get everything from one hand no partners between No shifting around Who is the one who doesn't provide not work? No finger pointing We are we are T count on me What we also have is some basic platform services that go beyond infrastructure And two things we are very proud of this. We have to integrate the cloud engine The container engine sorry the cloud container engine, so we have containers on the platform you can use them we have relational database service and We're very new you can also have work spaces which means these citric things that you may have already seen your desktop in the cloud but as I mentioned before there has to be somebody who helps the people to get there And we when when open telecom started we thought about what is needed to help the people to get there and we thought it's it's it starts with Overcoming the initial barriers So we we are there if you want to do something on your own and you don't know why it doesn't work on OTC And usually we were on on short notice We look at it and give you a hint why the open-stack call does not work as expected on this platform and help you Why what what whatever is needed to get your open-stack application running on the business side? You have usually also the need to explain the customers why is it cheaper or Why does it cost does it cost the way it costs? so you have to help them to compute the costs and To maybe even to show them how to use the cost calculator we have you have online cost calculation So you can on the website you can try out what your what your infrastructure that you plan to use really cost And then It goes all the way as we've shown before from simple migration techniques to very very elaborated modernization strategies Yeah, ending up even in hybrid cloud models that I'm not completely convinced of I think you can have hybrids But you should keep it the number of clouds as small as possible What we also have is we have a structured way to handle who landscapes and We have this usually to step to level approach that we are doing if we are Coming to a customer and he says I have one thousand applications and I want to have them in the cloud And we don't do what we don't do is we pick we don't pick the cloud native ones and say oh fine We're cloud native and we have past the cloud. It's all cool. It's all fine. What we say is everything goes to cloud and level one is Shifting the things all as they are to the cloud and level two is learning the people how to iteratively and incrementally modernize the things and Because shifting the things as they are to the cloud is a boring job We decided to industrialize the things you've done this for ten years And we've seen a lot of projects where each and every project within the landscape So each and every application in the lens of decided a different way to migrate We said this cannot be the way what we have is we have Bound the first people are leaving we have to hurry up for the life demo Okay, about cloud native apps And then go to the organization Of course Next slide next slide is your slide. Yeah. Yeah, okay What we do is what we do is then if we modernize we look at the different concerns that people have and make packages and Solve this concern on all the applications that have this concern Typically you maybe have poor availability and then we have architecture patterns where we discuss with the customer the general solutions and These these blueprints contain all the then general cloud mechanisms you have to use This could go as far as Software as a service where you say, okay? Why not migrate? Away from the the things that you've built with the customer database to a modern CRM system like sales force and One of the typical broader problems and the customer asked us I have a I have seasonal burst Boris can explain the seasonal burst are very very nice because they're very very Understandable what they have for the problem And we gave them the blueprint how to burst out the public And now we show how we deliver to burst out the public. Thank you Okay, now I will tell you some things about what we've done in this real life customer project We've done a lot of work on fmrl service so service that just live for a very short amount of time We've built an image bakery Using Ansible and Jenkins and I will show you in the live demo how doing rolling updates on the open telecom cloud So a little bit about pets versus cattle, maybe you already heard about this So these are two different types of service So to the left we have this kind which is a pet to you. It's a long-living server You really care for it. It's like your pet at home. You have a cat you have a dog But of course you don't have 10 or 20 pets So that's the same with your pet service You cannot really afford to manage all of them manually But there are some important systems that you really care for and if they're ill you call the doctor and replace the hardware so I think this model also fits to the Legacy IT world a little bit like the Samurai for example We saw yesterday if you look at our new systems The only pet that's left over is our Ansible server because we care a lot about this master server where we do all the deployments from because Boris will show why why the service is important But this is our only pet we have all other service all other applications are just cattle Yes, so this is your new type of server cattle one is like the other if one cow is ill Sorry, we have to kill it. It's even simpler. We just create some new service. That's why we call them cattle and Everything is automated in this world and this is more the agile linear approach For creating service and really keep it this way We don't go to the server and patch something there It is killed and it's built. It is built again. If it is necessary. We are always building from scratch which makes life a lot easier Okay, so let's look at OTC. How do we handle images serve images? If you can see here to the left, we have a bunch of public images that you offer of course We have more than this If you create a server you say, okay I want to have this base image then it's copied to the system disk in your server has started But then you have the possibility to create on this server something really new you can make your custom image and Save this as a private image and you get this for free So we don't charge you for storing private images in your OTC tenant Then afterwards you can use any image you want from your private images to create a new server If you have created your image somewhere on your desktop PC, that's also possible You can just upload it using the object store to the private images and we have a new feature That is called shared images which you can use to share images between hundreds of tenants if you like So how does the image bakery work and and how do we work with ephemeral service? So we start with the base image and then in our staging and testing environment We create our first server. Let's say this is version zero because it is just based on the base image So for example, it's the plane sent us 72 that is available on the OTC Then we log in into this server using Ansible, which is just using secure shell Then we are installing things changing configurations Synchronizing files to the machines and then we have version one ready So we can save it as a private image to the image management and Then later we can put this into production and this is really a new server It's not the same server that is in the staging and testing environment Then of course it is possible to dispose the server that we used for create the image It is no longer necessary to have it and on the production side We cannot have of course have multiple servers of this kind and then the process just starts again We use now the the custom in image version one for the staging and testing system We upgraded to version two with our custom code. What do we want to change then? We have this new image and then the rolling update takes place if especially if it's an auto scaling group behind the Elastic load balancer. So the idea is that we have the old and the new version running simultaneously. We try to show this later then we switch off the old version and As the load balancer can handle this case. It doesn't interrupt any internet connection to the systems and So on same with version three That's how it works image bakery or image factory fmrl servers So let's see what I've built for you today one remark on the last slide Just be aware. We do nothing on local systems. We do nothing on local laptops. We do everything in our cloud Do you do? We are really building the images on the tenant itself? And it gives us a lot more power and a lot more degrees of automation that you can have on your local On your local laptop. Yeah, so I just stepped back so that you can Hear me talking to the to the microphone. It's better this direction so here you can see what I've built today for you and OTC and even a little bit more and Reflects a little bit the setup that we had for our customer. It's a simplified version, but it's enough for today So what you see here is the typical end user that uses the web application? He or she can use HTTP or HTTPS to access the the OTC. So this block I call the OTC DMZ because here we have the elastic IPs that are accessible from the internet So where where do you connect to when you try to access the web page? in fact, you're connected to the elastic load balancer and The elastic load balancer is capable of doing the SSL termination. So at this point HTTPS has ended So we can work internally just with HTTP Here we have a VPC. It's called the production VPC you can see the the sitter that was used and Virtual private cloud a VPC if you think about neutron It's like a router you see it here and it's a network Is it just one network? Yes, it is what we create a subnetworks here So the gray floor the gray floors are subnetworks that are running in different availability zones Maybe for the hardcore open stack specialists You know in the public cloud setup You have a little bit of a problem that you have to hand to mess around with public IP addresses Private IP addresses on a large scale. This is why the network model on our on our OTC Is a little bit diminished compared to what it's what really could be done in an open stack environment We have this VPC concept, which is also available in Amazon and you have a VPC and Everybody who belongs to VPC can have then one router in the middle subnets behind public and public IPs that are then And that the router simply maps between the public IPs and the subnet IPs and nothing much more Yes, so the VPC router we have also the security group Which is basically a set of firewall rules so we can explicitly deny or allow traffic So what does the elastic load balancer in fact he load balances to all those instances in this case? It's a simple Apache and these Service here they are in an auto scaling group. This is this one here We have a number of two instances instances as a minimum and then the rest for example can be dynamically Scaled up and down depending on certain auto scaling policies. Let's say CPU load is too high than we add another instance Why do we have at least a minimum of two because we want to have the whole solution totally? High available so the ELB is already high available This is a system that in fact runs on both Availability zones and this system keeps on running even if one availability zone is totally unavailable So in this case the ELB will just use the service running in one of the other Availability zones Okay, so how does it work building the images here? You see a typical workplace. This would be the DevOps team that is Staging the the images so what can we do of course we can use the web front end to Access the OTC console In fact this web UI more or less just does open stack calls and then handles everything Manages everything in the OTC. You have also the possibility using your browser to connect to the Remote console of your virtual service here. It's also an encrypted connection So it is not absolutely necessary to use secure shell So what did we then do? We have here this VPC for development and the interesting thing is that we can build exactly the same network scenario then in the production VPC What we do first is that we deploy a jump host here This is the only machine that is accessible from the internet It has an elastic IP so we can connect to it using secure shell and from this Jump post we are creating the the service and we just need one because it is a staging system just for Creating the image what we do here. We install Ansible on it So you can work directly here on the command line Spawning all your servers here You can also of course call the open stack API to create those virtual instances and What we've done especially in this project is that we use CI server Jenkins running At the customer side as well as a jit repository for infrastructure as code And what we do is that the Ansible master we call it an Ansible master. I'm so keen to see the Jenkins now So please okay Okay, let's switch to the read thing so we are Talked a lot, but this is the real stuff. Yeah, okay so we already logged in to the OTC console we can switch to the view we can see the virtual Private clouds looks very different to standard open stack but It's done for consumers and analysts told us it's a real fine thing that to do it this way You find the things if you know open snack But you you have to be aware that it's not always there where you think it is So what we currently see here is The BF production VPC which are used for for production. You can see the router here We have the the two different subnets running in these two different availability zones And then we can already see some machines here and here so I Have created two auto scaling groups to show Different things if time time allows us so and currently we have two machines in each auto scaler Which we'll see later Then we can also have a look at the development VPC This is this one. I have a test machine here This is The staging server for the image for the Apache image and this is the existing jump host And and the jump of course is also an image So each if you really kill or our beloved pet and we still have a clone of it Yeah, so the first step would be to show you how easy it is to create a new jump host and Install Ansible to it so that we can use it as the Ansible control machine So the Ansible guys usually call it a control machine. We call it the Ansible master and then we'll try To show you how it can be very easily integrated to the Jenkins master as a slave machine Okay We go so here you can create your elastic cloud service We could also set up some SAP with some clicks, but don't have time now Maybe do it later. Of course you can do it also by API and we do it usually also by API, but it's for presentation It's a little bit more visible if you if you see all the parameters in the UI So let's let's create a second jump host. Of course, you already have one, but we can have another one Usually for a lot of machines for for the staging instances and for the jump host the smallest possible instance with one virtual CPU and one gigabyte of RAM is absolutely sufficient and A server like this just costs around six euros if you have it the whole month running and For our staging systems. It isn't even necessary by the way, you can also use you can also have windows but Then usually you get also licensed with it and this for the compute machines that you for this compute one and compute two It approximately doubles the price that you have per hour It's an expensive hobby to have windows as your operating system looks like at least in the public lab So I think we're already finished trade the server Looks good. Okay By the way, I'm just connected using my mobile phone because we have to use a Very secure virtual private network software here and it didn't work with the network here So as you can see it is already creating the the server for us And and Boris injected already all the scripts that are needed to build the Ansible master. So as soon as the machine starts now and and We will maybe we may see this in the console then it it it even three compiles the Ansible things because the Ansible things But the bad thing is that Ansible does not the the most current distribution Distributed by rpm packages or or or a PT packages so you have to recompile it if you really want to have all the open step open stack things in and It does even on boot the recompiling installation it even it even installs a small squid proxy, which is useful for certain scenarios where you don't have a public IP and it's really our Swiss army knife, you know So we use for for all kinds of of continuous integration and continuous deployment, especially because it is item potent Item potent means if if the the the script run breaks You can restart it at the point where it breaks and it repeats all the steps before in a in a Transparent way and and without breaking anything, which is really different than having pure scripts So I can only recommend to use something like like Ansible maybe puppet chef We have to use Ansible because Ansible is purely based on SS agent does not need an agent Agent is a problem for systems of Deutsche Telecom because if you're making security audit Usually the first thing that the people say is you install an agent on this image This means you have another point where somebody can break into your system So you have to explain exactly what to do there if you use Ansible We say okay, we are using exactly the excess you need to administer the machine So why do you bother about my my complete way to do automation? Yeah, and we are done with the security things. So the server has been created so maybe we can continue So this is the elastic IP That we need for integrating it to to to Jenkins But first we need to run our our magic script on the machine. I show you how we do this So here you have to select the type of your keyboard of your physical keyboard So for me would be German These are things you usually don't care about if you roll the thing out the first time Yeah, the things that come in as soon as you really use the stuff that you need something to switch over the keyboards Goddamn, I think I forgot something Okay We did not upload the master script I think we have to create a new one Yeah, but I think the people believe that you can yeah, just take that just take the master that we have Yeah, okay Last time last time when I did a presentation on seabit The way we we do it now I showed the console window and the customers came in and said oh did you oh do you have to Did you break something? What's why does the machine not work something I said it's just the automation console It's something that you usually see if you administer the system and you see that a lot of the the IT Responsibles Today are not any more aware that still the very basic console things and the very basic usage things you have in you had in the past are Still there and there even get more important than in the than the past because as soon as you rely on API's as open stack does the user experience and the user interface is not the first person citizen and In the context anymore the API is the first person citizen and if the API is the first person citizen, it means You don't see anything which is blinking and nice and something like that Maybe in a first or second release maybe later on later on somebody doesn't you eye on it? but the console at least for the people who automate is Becoming again the the the the tool of choice Okay, I just created another one So this time I didn't forget to upload the script in the meantime We can have a look at at the Jenkins to show you some of the jobs So for example, this would be a job that does the the full deployment We can look at the console output from from the last run So here you can see the the Ansible script executing on the jump host on our Ansible master From this machine, we have the possibility not only to Very easily do a secure shell to the machine that we are currently staging But we can also run other tools on it for example for for testing the the installation of the of the web server and This is only possible if you connect to the jump host because then you have the the local Access because the other machines are not exposed to the internet. So what you can see here We're deleting the old instance the old volume the old port Then a fresh volume is created a port. We put some the HCP options in it Then the service created the instances started We wait for coming that it comes available then the image is customized Installing another yum repository updating the the RPMs What do we have then of course the Apache is installed some files copied to it And at the end everything is finished Service up and running and then we can create the image from this server even to the firewall rules This is an interesting thing because I've seen so many times the firewall rules running around and some excel sheets and somebody does reconfigure the firewall and then the firewalls are done a gun the rules that is that before and You have no connections anymore and you have a big incident in your environment. So it's it is really a security improvement if you have all the things that you need to deploy the The your system in one place and even in a in a version control system to have it documented and have it repeatable and You can always say that each conference that this is the benefit, but you really feel the benefit if you do it Okay, now everything should work. I guess so another jump post Another login don't forget to change your password. Oh gosh. No, it's a it's a wrong one. Sorry. Yeah, I Think I used the wrong one. The problem is of course That we have different line endings here So we have to use the the version with the line feeds at the end Let's go to the jump post that we have and show the things that are really important. Okay Anyway, we have the images already built So we can can show the the update for example So if currently this this web page Prepared for you if you're reloaded you see that we have different local IPs here so this would be another one and We can now change it So how would we do the the the rolling update we go to the auto scaling group I Used this one here, and I already prepared the the No, no, we do it. No, okay the configuration. We've built the image. We need a configuration So you can see a list of auto scaling groups configurations That are based on different images. So one dot six was the last image For what for what I created a Configuration here may be a short version auto scaling configuration What you of course need when you make an auto scaling configuration is you have to say which image to start and How the server look like as soon as that the auto scaler decides to create a new server so you give him a full specification of a server that should be started as soon as upscaling is Required and you give him also rules how to how when to downscale and how to downscale and this is exactly what is Boris now configuring So the auto scaler configuration it's a mix of The image and the flavor so when now we switch to the new And the interesting thing is this is something that you don't have in the open stack API But you can still handle it as in the same way as the open stack API So if you have a keystone login and you created the server with the keystone login You can use rest calls with the same keystone token Which look even the same as they are look for open stack but they do the same like add a server to the load balancer or add a rule to the to the auto scaler configuration and This is the way we do all the the platform as the service things that we are doing on this on this platform by simply extending that at the API's were a standard service is not available yet but The doing it that you can do it really in the same way and we are we are working at the moment to do to encapsulate these Things also in proper libraries if necessary Have already some small tooling like the OTC Such such small OTC tool you can use for it, but it's For Ansible you need this this thing with the item potency so now of course you have to wait for the New instances to come up So what you can see here? We have those two instances the old ones which are running on the old configuration Which is using the the old Image version as well, and these are the new instances that are currently Created based on the new configuration. How can you how can I find out that's the new one? I changed the change the background color here So we have the the red color at the moment which is served from the two instances Based on the the old image So how does it work? Of course we're now adding the new instances and at the end when everything is fine. We just remove the the old ones and There are several steps that can be used for doing this. You can just modify the number of Expected instances for example You could also manually call Yeah So give us give us the last two slides So I hope we can give you at least a small flavor of how the things really work on OTC it's difficult to to to make and in 40 minutes to the whole scripting and stuff like that, but And if you're interested and you want to have a chat and maybe even want to see the scripts Come to everything More time we can play around we make even some other things we make we can even crash the platform if you want to no problem So yeah, come to us. We'll play around. We are downstairs at the booth Contact us These are the these are the coordinates you can find us and Get a vouchers. We have 250 euro vouchers to try out to the platform at least for The people who have you're in the area of Europe You have to we have things there so come here or come to the booth and get Yeah, get the vouchers Thank you Sorry that we do not have a lot of time left for questions. Are the new instances Come here or come to the booth. Okay, perfect. Thank you But we can try it. Ah, it's working It's working So now you see the the old image and the new image. They are running both at the same time We have four machines that answer and the new ones have this Magenta background and the two old instances. They are still delivering the the red background Rolling update nearly finished so we just have to kick out of machines. Yes, then it's done and you can do it And really it's it's something that's live already out there We have done it if you have a reference customer, but we are not allowed to get to give the name It's a broadcast company public broadcast in Germany and they've done it this way and it has already bothered proof. It's Yeah Thank you