 Hi, everybody. Welcome to CF Summit 2017. We're going to talk about Bow Chat on today. They're pretty awesome. You can be awesome, too. You can do anything if you try hard and believe in yourself. And I think this is going to be pretty interesting for you guys. But let's talk about who we are first. So this is Josh. He's my esteemed colleague at ECS team, now part of CGI. He graduated from Case Western Reserve University, peer science degree. He's now a certified cloud foundry developer. Yeah. Give it up for Josh. He got a cool sweatshirt today. I did get a cool sweatshirt today. He's a cloud architect at CGI. And he's one of our best cloud architects. He's on a bunch of projects. He's a go-to guy for everything. And actually a really cool guy to hang out with. I don't understand most of his Simpsons and Star Trek references, but I just kind of nod and smile. Besides that, it's pretty cool. And this is Bridget Archer. She's one of our senior cloud architects as well. She graduated from Regis University in Denver. Go Regis mascot. Go Rangers. All right. She has been doing CF a little bit less than I have. Started in 2015-ish. But she is an excellent developer and architect. And we are happy to have her on every project we have her on. And so are her clients. So let's get started with the actual contents. Yeah. It's talked about Bosch. So Bosch, I'm sure many of you here have used Bosch. It's kind of an abstraction layer to manage all your VMs. So, you know, when you have a cloud found reinstall, you're going to have 37-some VMs. Bosch is going to manage all that for you. So it's going to handle the deployment of it. It's going to handle upgrades to your platform, upgrades to the VMs. And it's all done through YAML files. You have all these configuration files to manage getting your VMs deployed. If you need to upgrade, you just modify the file, do a Bosch deployment. It's kind of, it works, it's cloud agnostic. So it's going to work across all the different platforms. So no matter what you're on, you can use Bosch and it will get everything working for you. So how many of you were at the Bosch class yesterday that ECS provided? Excellent. So you guys learned in those of you that know Bosch know that Bosch has stem cells releases and deployments. What if you have a release that you want to use, but maybe it's not quite sufficient? What are you going to do? Or a stem cell doesn't have what you need? I mean, you could modify the stem cell or the deployment, but maybe you don't run that deployment. So now you're maintaining a fork. And that's bad. Because what if there are CVEs that come in? What if you find, what if upstream bugs are found? Now you have to merge it and all that stuff. You could just manually add it to the VM. But VMs die. VMs are cattle in Bosch and cloud foundry world. They're meant to die. They're meant to be recreated. So anything that you do to that VM could be gone in 10 minutes. Depends on some people's security requirements. It may intentionally be gone in 10 minutes and intentionally recreated. Some people don't get that. That's also bad. So let's move on. So add-ons. They are global to your Bosch director. Any deployments that you have can have a set of add-ons that you specify. They are still YAML. Sorry. It's a lot of YAML. You create a one-time config file. How many of you have used Bosch 2, the cloud config? Same basic concept. You create an idempident file. So if you get the runtime config, if you want to modify it, you need to get what you have first, then modify it, then put it back. Because if you just make a new one, it's not additive. It will erase what you have up there already. Then you redeploy. And you can do filters. You can say I only want to apply this set on to VMs that have, for example, a Postgres job or that are running Nginx or that are running on a specific stem cell. So you can have just this Ubuntu one or just Windows. You can also do the exact same thing in the opposite direction and exclude very simple things. And that's very new. I believe that is in version 260 of Bosch and I think we're on 262 right now. So the excludes are very, very new. So what are the kind of the common add-ons you're going to want to do for a Bosch add-on? If you want to put anti-virus software, if you want a monitoring software across all your VMs or all your Linux boxes, you can go ahead and do that. Some of the common ones for security. IPsec. You want that to be applied across everything. You just create the Bosch add-on and deploy it across your VMs. If you have an automated user that needs to have access to a bunch of VMs, you can set up SSH access for that one user to get into all your VMs. Actually, that's one of the ones we're going to show today. Certain compliance requirements. You know, maybe you need to have an SSH banner every time someone logs into your machine. You set that up in the YAML configuration file and deploy it and it'll be on all your VMs. Other common stuff like networking, all done through the Bosch add-ons. Really anything you can do through the Linux kernel, anything that you could do as a Bosch job, which we're going to see, you can do as an add-on. Because it's demo time. Let's pull up our... Let's make this nice and big. We have a little Amazon concourse deployment stood up because we don't have time to deploy add-ons to 30-some-odd VMs. We've got a little concourse deployment with three VMs. But let's go look at our runtime compile, our runtime config file, excuse me. And you can see. You say, here are the releases I want to do. Here is each add-on. It's a job. We can specify exclude rules or include rules. We're doing include rules here. So for example, we're going to add this web user to a file or to a VM that is running the ATC concourse job, which is their web front-end. Same thing. We're going to add a different user to the DB server and we're going to add a third user to the workers. So let's go ahead and log in. We are using the new version of the Bosch CLI. And I just realized that I don't think we uploaded that OS com for release. So let's do that real quick. Let's do this. Goodness. I'm too tall for this. So we have the release there. Now we need to upload this runtime config. One thing you'll notice between the V1... How many of you use the V2 version of the Bosch CLI? Your dash key has been getting a workout, hasn't it? Do you use spaces instead of dashes? Learn something new every day. Yes, that is exactly what I meant. Thank you. Okay. We have now uploaded this runtime config. We've updated it. Our deployments are now out of sync. Just like if you updated your cloud config. So now we need to redeploy. Okay. As you can see, this is all the stuff from our add-on config. So we're going to go ahead and deploy. This only takes a minute or two because we only have three VMs. And you'll see after the fact that we'll be able to go ahead and SSH to these... We'll be able to go ahead and SSH to these VMs without using Bosch SSH. We'll be able to use just the standard SSH command. And you'll see that here. And you'll see that because we had those include rules on the SSH keys, that we'll be able to log into one VM with one key but not the others. Did we have include rules for the SSH banner? No. That should be on everything. Hopefully we'll see that in everyone. Yes. This is not the first time we've done it. But you know, the demo gods are fickle. And I'm really glad that Amazon's not having an outage today. All right. So let's try SSH... Oh, we should get the IP addresses on the VMs first. Okay. I created a private key for each one. There you go. We see our banner. We are able to log directly in. And these SSH users have pseudo access. This is great if you need to be able to install, for example, a compliance agent. Nessus, if you're doing PCI scanning, that sort of thing. So... But now let's try logging in with the same key to a different VM. And you'll see that you get the banner but you weren't allowed in. So that was our short demo. And now I'm going to take us back to my favorite slide that I've ever done. I don't understand the slide at all. Anybody that can get it, anybody that knows what this slide means? Yeah. What does it mean? Q&A. Stop by the ECS booth if you knew this and get a shirt. Or if you didn't know, get a shirt. We have a ton of shirts. So now we have time for some Q&A. Anybody has a Q or if you have a Q, we have an A hopefully. So I was hoping, I saw the enable IPv6 add-on. Do you mind talking a little bit about what that does? Sure. So that one in particular, you can actually see an example of it on Bosch.io. It is one of the example ones they give. It basically sets a kernel parameter in etsy sysctl. So that's basically it. Yep. You don't mind just mentioning your name and association that helps to get to know each other. Sure. My name is Tim. I work with Comcast. My name is Nick Marino. I work at Ultimate Software, SAS provider of HR software. We're actually using PCF. So obviously, it abstracts a lot of the Bosch stuff with you. And more of the reasons I'm interested in Bosch add-ons is to find ways to tweak some of the stuff that we don't inherently get from anybody who uses PCF from Opsman and things like that. So I'm kind of curious if you have any experience using PCF or do you guys use Cloud Foundry directly? And if you do have experience PCF, what's the use case for or how do you go about the process of adding about Bosch add-ons to that? Sure. So we do use PCF and Bosch add-ons together. It's about the same. You run through the same commands, obviously the V1 version of the command line. You can log into the Opsmanager director, you update your runtime config, and then you just hit apply changes instead of Bosch deploy. Gotcha. Okay. But yeah, because then that's what I was thinking, but then the same thing you said that you needed to get the way the deployment looks like, the deployment manifest as is, then make modifications to it, and then kind of do it again. So there is some, and what do you use like the Opsmanager API to make changes? So if you're on the Opsmanager, you can SSH to the Opsmanager VM, and then you have access to the Bosch command line, and you can do it exactly there. Gotcha. Okay. So that's what I would do. Oh, and one thing we wanted to bring up was, and this is not very well documented, is how to delete an add-on. You take advantage of the fact that this runtime config is idempotent. So create a runtime config without the add-on that you want to delete. Do a redeploy, but then you actually need to go and Bosch recreate the VMs in question that you want to clean up, because the act of redeploying without the add-ons in the list will not recreate them. So doing a Bosch recreate will create a clean copy of the VM without those add-on jobs. Thank you. Nick, anybody else? Okay, I've got a couple here. I have a question too, but I'll defer until... Hey, my name is Bruce Stringer from Rackspace. We've been doing some manage services for PCF. I had a question around, I saw you guys use an OSConf release. Are there any other like cool ones out there that you think are worth mentioning that we should check out? There is an IPsec release that is... Has been targeted for PCF. There are documents around using it in PCF. There are also documents around using it in open source. They're very similar. But another one that we've seen a lot at ECSTeamCGI is using Prometheus for monitoring, and that's accomplished through an add-on. So, cool, nice. Any other questions? I think there was one over here. Yeah, all right. Let me run there. It's good to work out. Can you raise your hand? I don't see. Okay. Yeah, we got a lot of time. We have like 13 minutes left, so feel free. Thank you. Christian from Altauros. And my question is, so if you want to install external changes from different packages, you can create a release, or you have to find a release? You absolutely can create a release. We have done that. Sometimes you have to be careful. I will say this. Just as a good suggestion, don't do anything that messes with IP tables on the VMs. Trust me. Come to the ECST booth later and ask me how I know this. Smart guy. Other questions? Okay. I'm Bill Bean with John Deere. So we use concourse for deploying our Cloud Foundry. And one of the nice things about that is when you do a Bosch deployment, there's only three inputs, right? A stem-cell, a deployment, and one other thing I can't remember because I'm talking in front of people. But now there's two other things, like this cloud config and these add-ons. Is there any thought about how those could be managed out of band and like a pipeline sort of way? Sure. So, I mean, you can run those completely separate from the other things because they are global to the director. Stop by the Express Scripts booth later and they can tell you how they've done it. And I will say 305 today are the Bosch office hours in the collaboration area in the Foundry. So definitely stop by there. Talk to the rest of the team and they will have lots of great answers for you. But yes, we've done pipelines that handle those out of band from the other upgrade processes. Any other questions? I think you said you had a question. My question was, I know at IBM in Bluemix, when I introduced this concept to them, they were so super cool, just like you guys excited. And they started adding a bunch of add-ons. And of course we hit a wood block, which was that there was one particular component they wanted to add that actually modified, not necessarily the kernel, but loaded a kernel module. So there's limits to what you can do with add-on. Can you talk a little bit about that in terms of like, what shouldn't you do through add-ons? Excuse me. You know, that's interesting. We have not done them in depth enough yet to get to these limitations. That seems like a good one if you have to add kernel modules. So, you know, that might actually, that's a little out of our range. But that's a really interesting statement that you've gotten to that point where you've had, because you have to re-create, reboot the VM after you do it. Exactly, exactly. And I think you mentioned, if you have something that you're adding that's modifying some core component like, you know, it's right in the IP tables, then you've got to be careful about that because it prevents you from cascading dependencies and failures. That's right. I think you had someone behind you there. Okay, cool. Yeah, maybe that triggers. Mark from Pivotal just wanted to say we're speaking about using Bosch add-ons tomorrow around 4.10, using Bosch add-ons to become PCI compliant. I hope that can help you. And we have three add-ons that we've developed and Sloppy can talk about some of those constraints that we found. So, 4.10 tomorrow? Okay, any other question? One last one? No? Okay, cool. So, thank you again. Thank you, everybody.