 Good morning. Good afternoon. Good evening wherever you're hailing from Welcome to another episode of public sector on air here on open shift TV. I am Chris short What is my job title these days? Ah principal technical marketing manager at red hat I am also a CNCF ambassador and today is the day zero of cube con hence the t-shirt Love your local Kubernetes meetup today I'm joined by the one and only Jason Rittenauer from our public sector team Jason Please introduce yourself to the audience All right. Thank you Chris. Yeah, as you said, I'm a cloud domain architect here in public sector I Specialized with emerging tech in particular infrastructure and automation and then automating infrastructure and infrastructure rising automation, so I touch all the virtualization stuff and some Ansible here and there and Basically figure out how to make it work for our customers. That's awesome. Yeah, that's that's that's pretty much why we're here Right like we we realize that our customers have a need that is very different nowadays with covid So we want to make sure that we are delivering them an experience that is Accessible to them. So you're gonna talk about some virtualization today Which is awesome because I love me some virtualization, but you're gonna talk about doing it on open shift Which makes it even better. That's right. And you know, we I say the containers and virtualization They're basically like peanut butter and jelly. They belong together and you know today I'm gonna talk about how that relates specifically to public sector customers You know, I've had a lot of questions, especially since the most recent summit where we had a big presence with the open shift virtualization A lot of interest from the public sector space particularly state and local and education So I kind of want to address some of the questions. I've heard frequently and and talk through specific use cases for open shift virtualization in public sector spaces Let's do it. I mean the the public sector spaces have some significant like interesting needs, right? So there's The the the security side the compliance side the governance side like there's so much to it So getting arms around it with open shift virtualization is gonna be an interesting interesting take here. So yes, please In late Thank you. I can definitely see your screen. Absolutely. Yeah, it's my screen. Good. All right. So yeah Again, you see my name again my title my public sector. So let's go ahead and go forward here You know, as you mentioned the the big thing is We are looking at Virtual machines and containers being managed in the same data plane in the same control plane and It's it's it's convergence now, you know, of course virtual machines have been around for decades They've been a big part of modern IT infrastructure for more than 10 years at this point Containers have also been around forever But we're in this renaissance now with with the advent of the Docker project and the other offshoot projects from that With Kubernetes making it easier to orchestrate them at scale So what we're seeing is now we're we're looking at the next generation of containerization And you know really in the early days of this this renaissance as I referred to it a lot of People and us included were trying to manage containers like a subset of virtualization We were treating the containers like smaller footprints short-lived virtual machines and We found out early on that didn't quite work There were containers have a lot of nuances that they don't really aren't really the same as like a virtual environment So, you know, we kind of went back to the drawing board early on and looked at the way We were we're managing and orchestrating containers and a lot of what we learned, you know Of course fed into the Kubernetes project and other people were reusing it today That's the great thing about open source. Everybody benefits when we all contribute But what we realized in back about 2016 we thought, you know, maybe instead of trying to manage Containers like small virtual machines. Why don't we try to manage virtual machines like long live High-profile containers. So that's where really where the Kubbert project began We started looking at ways we could get virtual machines running in Kubernetes in a native way They complied with the Kubernetes API that made it easy to fit into like CICD pipelines and modern DevOps architecture But at the end of the day, it's really about running applications, right? So, you know, a lot of our customers are looking to go to more of a container native slash cloud native architecture Where their applications are ready to be containerized and they are Microservice-friendly and they can scale up easily, but then we have a lot of customers that have legacy Applications and other things that rely on virtual machines, but they still want them to come into open ship They want to be able to benefit from the easy way to get those applications deployed in various providers They're not tied to like a specific architecture or infrastructure and where they can get traffic into them easily So, you know, one of the nice things about open ship virtualization is we can containerize applications at a pace that works for all of us I had an image here. That's not showing up for some reason That makes me mad because there's gonna be is it ever seen that is it for something is it like animated or it's not animated But it's still not showing up. I was good what it was gonna be So, you know that future ROM episode where it's the global warming and they talk about how to throw an ice cube into the ocean to Solve the problem of global warming once and for all, right? So what we can do is we can bring virtual machines into open ship to solve the problem of containerization once and for all, right? right, but So yeah, you might have things that are virtual machines today and they are legacy and they are monolithic applications And they can't be broken down into containers easily without a lot of rework But maybe you want them to run in open ship for some reason So what we can do is we can take them today Bring them into open shift as full virtual machines without changing anything to the underlying architecture of that that application And then you can just get them running an open shift and then you can rework that at your own pace And you know some things are gonna be easier an easier lift to you to make microservice friendly and some things might take months years Never regardless of what what your pace is we can do it with open ship virtualization And you know, maybe you have applications that rely on like bender Virtual appliances and that sort of thing or maybe some windows-based apps It's dependent on like a full-blown older version of sequel or or maybe like a Microsoft file server of some type Yeah, that can also be containerized as well So you can have an entire architecture that's maybe a hybrid application where it's part containers part virtual machines Regardless of what it is it can easily come into open shift through our our import process. Oh, there we go There we go. Yeah, okay. I kind of spoiled it But yeah, we're gonna solve this problem of getting applications from a legacy architecture into open shift once and for all So here's what's going on under the hood You know, you might say well, you already have red hat virtualization you have open stack Why do you want to reinvent the wheel and do it another way? the thing is Openship virtualization relies on that same underlying Hypervisor layer that open stack and red hat virtualization both utilize. It's all Libbert. It's KBM. It's key QEMU Except it's containerized So this makes it easy to kind of port workloads from one of those platforms in open ship virtualization And it's all the same underlying mechanisms underneath So if you have an ATO today for red hat virtualization or open stack It's probably not going to be that big of a lift to get one for open ship virtualization. It's all the same process as underneath and What we're doing here is basically we're just we're launching a low vert Damon in a container through this vert handler process So it makes it really easy to to deploy your virtual machines on open shift using the the same architecture We're using in our other products Of course, it all wraps into the Kubernetes API so we can utilize it through through the OC command or kube-cuddle There's also a separate offshoot called vert cuddle to do some of the virtual machine specific Functions like get access to consoles and that kind of thing, right? Yeah Yeah, I mean I wish this technology existed What three years ago when I was working for a financial services marketing company and we were moving a 10-year-old net app And modernizing it and doing all this stuff and man, I mean we wanted to use containers We had to use virtual machines. We had you know windows like 2008 servers that we just could not like break for a while And it was like we know we're gonna break this at some point We just don't know when and we need to move these things now And if we could have just lifted and shifted them into a platform like open shift boy That would have saved us a ton of headache Yeah, it's funny you should mention that one of my few non-public sector engagements over my my time at Red Hat was Back in the early open shift 3.x days. It might have been 3-1 or 3-2 It was a customer in telco. I don't know if I can name them and I probably don't want to because I might shame But they also had a legacy application. It was a web sphere and it was it had been basically I don't want to say abandoned but all the people who Originally created it were long gone from the company. So nobody knew how it actually worked The only way we were able to figure out anything was by actually looking at like patent applications about this app So wow We managed to get that thing ported opening on open ship in a container But it was like a 20 gig or so image because we just we had to bring so much along with them I don't know how to break it up now So, you know again at that application if we would have had this tech back then it would have made that a lot easier Yeah, and it's you pointed out the exact right thing right like it's Your eight you know, don't worry about that. It's single pane of glass. It's the same platform It's the same system. You don't have to change anything. You just update the latest version And you have this capability actually in four five you have this capability not latest version just to be specific But yeah, like this is there ready to go Yes, it is and since it's all operator based and I know we've done a few sessions on operators here on open shift TV It's easy to deploy it manages the life cycle and yeah, it's it's really easy to get started Now I didn't mention red hat virtualization We're gonna we're gonna see kind of a convergence. I think between red hat virtualization and open shift in the You know red hat virtualization is of course a legacy virtualization architecture Mm-hmm. We I don't want to say we're supporting it till 2026. It's not like it's going away tomorrow So exactly be clear about that. Yeah Exactly, but I mean we know that we believe again at red hat the future is Containers we believe that the future virtualization is container native virtualization or open shift virtualization as we're calling it now so Why not have a path to go forward and to evolve red hat virtualization? It's not definitely it's it's it's got a future It's just going to evolve into Container native virtualization So today with the most recent release of red hat virtualization You can actually reach out to an open shift virtualization cluster as an external provider and manage the virtual machines running on that open shift virtualization cluster today You know, you can do your basic start stop functions. You can get console access You can do some other like day two operations on them through your existing red hat tooling today red hat virtualization tooling And also cuts the other way because we can actually import virtual machines from red hat virtualization and VMware today Through openshift virtualization. So if you have a legacy Infrastructure virtualization infrastructure We have got tooling for you to get those virtual machines out of that virtual or that legacy architecture and end open shift virtualization and make them container native Now today we can only do a single virtual machine at a time But we do have tooling coming later this year. They will allow you to do a bulk migrations of massive virtual machine workloads Through a procedural system Yeah, I mean, this is just the evolution of container native virtualization essentially, right like exactly the the foundation has been laid and now the tooliness coming in on top to make migrations and you know Lift and shift a little bit easier right and and you know, you made a good point. This is the foundation This is the first generally available release I guess I can actually say today that yeah, it was made available at Coupe general the GA announcement was made at coup con today Yes, so, you know, it's out there openshift virtualization is there for existing openshift customers you can again deploy it through the the operator marketplace and The current version of a virtualization is 2.4. So that is our first generally available release It is supported So, you know, if you're using it today if you file a support case, you'll get your your normal SLA with your your various levels of support Also, congratulations on uh beating my uh cohort Andrew Sullivan on the channel after the GA of Openshift virtualization. Good job. Nice work. Yeah, I was what I was excited to see that that I was going to be presenting today I'm like, all right. It's GA day. Woohoo. I get it first the first one to Kind of honk that horn. So yeah, good stuff awesome So, you know, our government agencies Public sector we kind of tend to maybe get sometimes treated with the same broad brush and There are so many different agency types in public sector And they've all got different needs and different wants and desires And you know, like for example security To a dod customer is different from then security to like a civilian agency. Oh, yeah Regardless of what specific subset of public sector they are They're all trying to modernize applications just the same as everybody in commercial is So we're working with them to help them bring these modern applications You know, these two examples I got here on the slide are our examples of uh A partner is working with public sector, but you know, like the military Has been in through the defense innovation unit working with us in the Openshift Innovation labs to get their applications containerized and cloud native and cloud friendly Lockheed Martin is another good partner for us. So What we want to do in the public sector space is we want to help these customers Find ways to get Their applications into production in the fastest possible way using our technology So this brings up some of the concerns I've seen from public sector customers Some of the the frequently asked questions I I had And I'm going to hit these through a combination of presentation Back and forth Q&A with you chris Demo, uh, who knows maybe even some of our interpretive dance if we get to that Yeah, we might have to But yeah, so let's let's hit on some of these concerns. I've heard from the public sector space So, you know, as I said We did go GA today the official announcement at least it's actually been released a couple weeks back But it's officially the Openshift virtualization is here today ready for your your workloads And I've heard some customers say well, this is new emerging tech. Is this really production ready can actually run production workloads on this today And I'm here to say yes, you can um Now again, it is emerging tech So some of the features you would you have gotten used to from like red hat virtualization or VMware Aren't in the product as of yet today But you can't spin up virtual machines. You can migrate them back and forth You can uh, you know access storage networking all that good stuff And we have a very aggressive roadmap with Openshift virtualization It's going to release it in three month cadence. The same as Openshift is So, you know, just looking at the stuff I see on the red map roadmap today. I'm very excited It's going to rapidly mature And it's going to be a matter of time before not only does it catch up with where red hat virtualization is today But it's going to eclipse it and go forward Because it is container native because it's kubernetes native It's going to open up new possibilities that just don't exist with the legacy virtualization infrastructure today Yeah, there's there's a lot of opportunity with the container native platforms and kubernetes native function Or not functions, but kubernetes native way of doing things when you start layering nvms on top of that It gets pretty cool And again, we've been working on this for a few years now Yeah, we actually started the kubernetes project back in 2016 And you know, we we have a couple customers today that actually are running on production on Upstream versions of the Openshift virtualization stack since you know, we didn't have a g8 until recently But they've got production workloads and you know, they're having great success with it. So You know, I think in time as the platform evolves We'll be able to to take more more more use cases and bring them into Openshift virtualization to where it's It's really going to be a matter of time to where You know, most everything that's not a container is going to run on on a Openshift native application Architecture it's a platform, right? Like we want you to put your workloads here And we want you to be able to put your workloads anywhere at that point, right? Like that's the beauty of Openshift Exactly, I mean it's like you said it's a platform. It's Not just for developers. We're ready for the operations team to come in and and bring their stuff into Openshift and uh And see that the joy that is kubernetes and how much simpler it can make your life Exactly can't wait All right, doesn't work in fifths mode. Yeah, exactly You know, that's that's another thing I've heard a lot, of course FIPS is important to our public sector customers for sure Um, and we do have the ability to enable fifth space cryptography Starting I think with Openshift 4 3 was the first version that we supported that That story is constantly evolving. I know it's coming soon to Openshift container storage So again, watch this space for for more information about that But you know, I've actually had an essay asked me a couple weeks back It's like well, there's Openshift virtualization support fifths and I thought you know, I haven't seen anything about that So I want to try that myself So the environment I am going to demo in today is does have fifths enabled We do have uh, I have ecd encryption on the back end all that kind of stuff And it works fine. Now the reason I have an asterisk here is because I did specifically put out an ask to the product team to say Do we support this because am I I like to say works and supported are two different things That's very true, right? Like yes, Openshift is fifths compliant in a certain way Openshift virtualization is fifths compliant in a certain way Uh, but do we support working under that fifths compliant in Openshift virtualization? That is kind of a Yes, or no question at this point. We don't know yet So I do have I'm waiting on feedback from a member of the product team. I would imagine the answer is yes But I I think it's going to be but yeah I just I want to see an official statement somewhere that yes We support fifths mode and Openshift virtualization until I see that I'm still going to put that asterisk, but You know, I might be putting it through the pace. I haven't seen any problems. So Uh good stuff so far. So if you got if you're ready for fifths, we're ready for you Uh question and chat is can we run Windows VMs now? Yes. Yes, we can I'm going to get to that in a little bit as well But Openshift virtualization is actually past Microsoft's Windows server virtualization validation program. Try saying that five times fast Um, it is supported going back as far as Windows 2012 R2 is the oldest version of Windows we support Okay, um again older versions that may work but are not supported so But again, that's that's going to help a lot because I know that um, you know Windows containers are also tech preview now in Openshift Yes, and if you got something that supports like, you know dot net the most recent versions of dot net or the most recent versions of SQL That'll probably containerize easy, but some of these older versions of sequel or dot net probably not so much So we could just bring those when the legacy Windows VMs in and present them through Openshift as as just another containerized Dot net or sequel environment or what have you It can so I haven't tested this on Windows VM. Does it do graceful shutdowns and Yeah, okay, so good. Yeah, okay, and then right. Yeah, if you do stop virtual machine It'll do an actual shutdown shutdown proper shutdown. Okay, cool. Um, and do we support cloning of Windows VMs right now? I don't think um I believe it's like it. I mean it's it's like copy paste yaml basically still right like so I mean it's So there is actually a clone mechanism, but I haven't tried it on Windows VM. I'd have to validate that I would cautiously say yes as would I right like I would Yes, but I don't know for certain. So yeah, uh, right We'll check in on that one. Yeah, I'll check on that and I'll follow up with you. But yeah, I would think the answer is yes, but Again, I'll put yes worth an asterisk. There you go. Yeah, that's gonna be my go-to if I can't say for sure Okay, cool So the other thing public sector customers are always asking about this is why we have the show Disconnected install Um, you know, this is especially big in the dod space. They want everything to be able to deploy without any active connection to the internet Um, in manufacturing the same way. Yeah, exactly. Yeah And I mean I've had to do many pocs over the years with various red hat products We're you know, I go into a totally air-gapped environment. I don't I you know, it's the type of places where you have to like Leave your cell phone at the in a locker and you have to go into a fair day cage And you've got no connectivity to the outside world You can get hit by a nuclear bomb and not know until you walk out at the end of the day, right but Getting red hat bits in those environments can be a challenge And you know some operators are better than others about uh, installing in a disconnected environment So I will say open ship virtualization does support disconnected install Again, I haven't tested all the air-gapped environment because covid I haven't been going to those kind of places but um from what I've seen based on how it's handling that the image pulling process and and Getting it distributed to the uh the disconnected environment. It looks like it shouldn't be an issue in an air-gapped environment So again, that's there. That's super important for our folks out there that are in uh Protected environments. We'll just call it. Yeah definitely So the other another big thing of course is network security. Um, I've got to say I think open shift network policies are Probably some of the most fine-grained security controls. I've seen out of the box for networking at least any red hat product Of course the older versions of open shift utilized um, you know multi-tenancy as it's called today where Basically everything in one project could only talk to things in in its own project unless it was explicitly enabled to talk to another project Today the default is everything uses this network policy isolation mode where Things can talk to each other and for project to project But you can easily set it so that again only things in the same project can talk to each other Only certain pods with the same label can talk to each other Only certain ports are allowed to be accessed from a particular pod or virtual machine. So this makes uh That east west traffic control really easy and we'll hit on some of this when we demo it later, but Um, I think it's a pretty complete solution Yeah, keep in mind folks that it's like your container is now a pod like it's treated as a As a kubernetes native asset so you can apply all kinds of policy You can go full opa on it if you want open policy agent with rego and everything right like you can go nuts With your policy regular and regulatory requirements here. I mean and yes, you're absolutely right our east west Like granularity is insane. So yes, love it very much Now another thing we have in uh an open ship virtualization is we have the concept of routes For handling htp and htps traffic If and we expose those through services and then you can access that through a uh, like a fully qualified domain name Which we refer to as a route Now if you're doing non-http or htps traffic, then you have to think about that a little bit differently Um, the preferable way to do it today if you're using the pod native networking that we we've just been discussing Would be to expose your virtual machine through what we call a node port. So we're what we're basically going to do is we're going to open up a port On that that your node your virtual machine is running on And we're going to map that back to the the port that's handling traffic on that virtual machine in this example Um, you can see a node port that's going to talk to the remote desktop that uh protocol on a windows virtual machine So you can get access to like the rdp the console through rdp that way You can use that to get like ssh access to a linux virtual machine that way There are of course other ways around this other like um Modes of ingress, but this is just based on what's in the box today What's the default open ship configuration how you would go about accessing some of those non, uh htp and htps services through container native virtualization And then another thing we can do is we have the concept of uh of multiple interface networking using multis Where you can actually attach a virtual machine directly to your physical network So again, this allows you to get Traffic that that isn't htp or htps into your virtual machines If you need to like pixie boot a virtual machine for some reason and you know build off of a pixie server or whatnot This is how you would go about doing that Now the caveat here is that open shift uh network policies don't apply to these like bridged interfaces So to that end you'd either have to run like a like a host based firewall on the virtual machine itself Or handle security and then in traffic uh through rules on your your external uh firewalls or whatnot But uh, yeah, it really opens up the possibilities. What you can do as far as traffic handling within the virtual machine Oh, yeah, multis is a pretty nifty tool and and as far as just being able to bridge all the different networks that you could possibly want Right like multis isn't it? Definitely a very cool technology and again, this this is a very much evolving story Um, we're going to see a lot of a lot of innovation happen with this I can just I can see I mean just to see in iSpace is exploding already. So yeah And another thing to point out as well, there's also a lot of other um Like partner and even red hat supplied stuff on the marketplace today they can can extend the functionality of your networking and increase you know Do different things with security and that kind of thing like um, of course red hat service mesh is one possibility There's new vector. There's a twist lock. So Definitely, um, you know, if you're using any of those technologies today They can also integrate with the the open shift virtualization. Again, like chris said It's all pod networking at the end of the day at least with the default interface. So Yeah, it's kubernetes native. You can do what you've got to do with whatever kubernetes tool you want indeed Now as far as the two operations on the virtual machines, I'm very happy to say that you know satellite and ansible are still going to be the heroes here um We got I got a couple articles here with some Some bit the url so you can get to them easier But we do have a kubernetes satellite provider that allows you to provision virtual machines using satellite Um, that is still tech preview. I think I'm not sure that it's considered ga now since Open ship virtualization is ga or if it's got to wait on another Uh satellite major release to be considered ga, but it's out there and it works There's also a plethora of kubernetes ansible modules that again, uh, they've been around for a while The one i'm linking to here is actually the kubernetes vm module, but there are plenty of others. There's one for disks one for handling networking that sort of thing Ansible can also utilize open ship virtualization or kubernetes as an inventory source. Uh, so Again, we can pull in your virtual machines and get figure out how to access them using that And then finally got an article here to link to using a jump post to get access to an environment that That ansible maybe can't talk to you directly We use that a lot in like an open stack or you know, public cloud providers where they don't have not everything has like a public interface Or a public floating ip or whatnot So this way we can use that as like a bash notice to get in and talk to uh, to virtual machines that aren't exposed on the public network so Lots of different ways to do your day two operations This is going to be great for handling like security profiles on your virtual machines again Both satellite can do that through its open scab integration Ansible can certainly apply a stake profile. So Whatever way you prefer to manage your virtual machines, it's really not going to be that drastically different with open ship virtualization It's just a matter of maybe tweaking how you're accessing them directly a little bit Yeah, I mean I use jump posts for the ansible all the time, right? Like it's totally normal operation for me now I feel like Yeah, it's definitely it's good stuff and it's very flexible and versatile. So Um, we'll actually do a little bit of ansible demos I've actually got tower running in open shifts that makes it a little easier and that's another possibility too You can yeah tower in open shift. So it's just using the nata pod networking as well but Again, regardless of what way you choose to go about it. We can definitely manage it with tower or satellite No problem So some of the other questions I hit about public sector customers, of course um open shift 4 Runs on core os which is based on rel 8 and as you know, we drop support for a lot of older hardware with rel 8 Uh, you know things some there's just some of the kernel modules aren't there I hit that bug this weekend I've got a whole bunch of sad dell or 6 tens down in my basement that that you know, 20. Yeah Exactly And you know, you can certainly you can hack around it to get those kernel modules in it and working Yeah, totally you can but yeah But again not supported So it makes it hard for customers that do want to just play with open shift virtualization and see how it runs in their environment You know get it get a feeling for what managing virtual machines are like So i'm going to present a couple of different things you can go about and again That is the first bullet point here. None of this is supported This is just your your friendly neighborhood cloud domain architect telling you If you want to play with this and do non-production stuff. This is how you can go about it Here's to tinkers Exactly. So of course it does depend on hardware virtualization um You can enable nested virtualization on rev or v steer v sphere or open stack And you know that exposes the uh the vmx uh bits and everything and then you can actually you know run on run nested on that environment You're not going to see too big of a hit on performance that way. Um, because it's just passing through the cpu instructions directly to the underlying host so That's one way of doing it my first real exposure to open shift virtual vision was running on a on a v sphere stack. So It's viable to do it that way to for testing Um, but the thing is with that is that's not going to work for most of your public cloud providers because they don't expose the uh the nested virtualization bits So for that you can enable, um Software emulation, uh, which that is you're you're going to see a little bit of a performance it that way Um confession the environment i'm going to demo today is actually using software emulation because my storage of my home lab Uh, unfortunately you had an issue Yeah, I found out the hard way that the old adage of The time you're most likely to lose a disk is during a raid rebuild So I already had one rebuild going on and another just dropped. So Yeah, i'm i'm up the creek right now. Uh, But anyway, so so again, this works is maybe not as performant as nested virtualization But again, if you're just trying to see what it looks like Get a feeling for how you manage your virtual machines how you access them this works um, and to this end Uh, we do have support coming for running open shift on bare metal public cloud providers Yes, that's one of the things that it kind of falls in them Maybe sort of will work, but it's not supported And the main reason for that is we just we wrote with the public cloud bare metal providers running to things like how they do The the networking and it doesn't necessarily jive well with how open shift tries to lay down. It's uh, it's software defined network. So um, but some full official support is coming later And uh, we're working with our partners on that right now. Absolutely. Yeah, yeah, definitely Definitely think that's uh, that's going to be something that's going to be a game changer because you know, a lot of times We see our public sector customers Um, they're trying to shrink shrink their data center footprints and they're trying to do more stuff in the public cloud So, uh, I definitely see that that public cloud bare metal use case being something that that is going to be Especially for the sled guys. They're they're always interested in that Absolutely So with that i'm done with my slides So now it's time to see where we can break in a demo environment. Oh, we're gonna break some stuff. You know it I love it Yeah, I uh, I bought an old r8 20 To put in my house. It's the first real server i've ever owned And uh, yeah, I was spinning up a raid tenor ray on just the four discs that came with it Like, you know, 10 000 rpm discs and I was like, wow Right. I'm gonna have to buy some SSDs for this thing Yeah, I know it's because the ios Not too hot. Yeah It's definitely not fun, but uh, but yeah, it's uh I like on the one hand, I like having a data center in my basement On the other hand, my wife doesn't like it and It's my r6 10s are actually an upgrade from the 2950 I used to have and man that thing It was right below our living room So we'd be like watching tv at night all of a sudden I turned it on via ipmi And you would just hear like the sound the jet engines underneath us and she just kind of look at me and roll her eyes Like, oh my god, are you doing work stuff now? So at least my r6 10s aren't as loud so I can be a little more stealthy about it But but yeah, I'm definitely yeah noise rating was definitely one of the things I checked when I bought this one right All right, so we are on an open shift environment. Um in the public cloud 4 5 for those out there. Yep 4 5 5 to be clear 4 vms underneath the hood there and virtual machines running across a couple different namespaces And you can see I got a healthy mix here. I got some windows for I got a windows virtual machine a rel ascent os and a fedora Nice. Um, so we're gonna get in here and then play with these in different ways in a little bit While we're doing that though, I want to go ahead and give me a second to I'm gonna we're gonna spin up a virtual machine right now just to show what the process looks like Thought I left that tab open to my browser, but I didn't Whoops. Yeah, no, no big sometimes I just I'm so smart. I forget how smart I am and I forget to do stuff All right, so I'm gonna do new from wizard here. This allows me to basically go through a UI that I define everything Um, you know, pretty much like you would with the legacy virtualization system Yep It's asked me for a source Again, I can select pixie. I'm so I can I can do a full blown pixie install. I can point to your URL I can't pull like an image or an iso in I can do a container image. So we can actually take container images and mount them as discs And then I can also do like an existing disc. I've already got uploaded. So in this case, I'm going to do url I'm going to drop this in So this is going to use the latest zero s cloud image zero s for those of you not aware who maybe haven't seen it in open stack It's a really lightweight Linux based virtual machine Um, and it's good for when you want something just spun up fast just to validate, uh, basic functionality So since that's not listed, I'm just going to do a sento s6 or higher operating system profile That's mostly just metadata about the virtual machine. So it's not really having much impact on functionality here right You can see we can do either like treat t-shirt size type flavors Or we can specify the memory and cpu count manually In this case, I am going to go ahead and select tiny though. Whoops tiny not small And then your workload profile The only one I've got here is server. There's also like desktop and high performance And that that's where the the os drop-down matters, right? Right. Yeah So default I'm going to use the uh the pod networking interface. So again, this is going to mean that Everything is going to utilize the native open shift networking. You can see I can easily add an interface though I had different definitions that you got here if you got bombs you you can do you can go all day with anything you want Right, you can do A bridge you can do sri ov You can specify the MAC address if you want again, there might be a few use cases that you want to have that kind of control over it But uh, yeah, it's really easy to add an interface through the wizard here Next we get the storage now It's going to define a root display default here And again that source is going to be url. So that means it's going to pull from that image from the urli supply I'm going to go in and edit it though and make a couple changes. So you can see I could change the size here So default is 10 10 gigs 0 s doesn't need anything that big so i'm just going to go and drop it down to five. It could even be tinier, but We can also specify the interface. So do we want to use vert i o or excuse me vert i o SATA scuzzy and again, there might be a couple use cases where you know for for cd drives You might want to use SATA rather than vert i o Right, you might have some some like a legacy system that needs to utilize scuzzy rather than vert i o. So again Uh, we can be flexible with that I am going to go ahead leave this on vert i o though Storage class allows us to take an existing defined storage type in open shift And that is the back in storage now in this case. I have aws ef s So this is going to utilize um amazon's elastic file system to dynamically create a share for me on the back end It's one of the nice things about running this in amazon. I mean you need to performance aside of software emulation I've got easy access to other types of storage. So Again, I could do gp2 Um, if you're running on prem we can do like a open shift container storage. We can do nfs. We can do Basically any type of storage open shift supports can be easily exposed to a virtual machine And then going even further if your provider supports something like full disk encryption for a block device It's easy to do that as well using that that built-in provisioner Nice. Did you happen to do that with the service operator? To create the ef s thing or did you do that on your own? I did not I did that manually. That's fine I was curious service operator for that. Yeah, there's a I think there's it's it has three words in the name, but something something service operator, right? And it's it's designed to work with those external services I don't know if it would have spun it up for you too. Usually I haven't kicked the tires on it with like ef s but Interesting. I'll have to look into that for sure. Maybe give it a look It might help you save some time in the future at least man and man Do I hate creating pvc claims and pvs myself? It's so nice to have a have a storage class that does it for you. Yeah So anyway, I one thing I want to point out here note. I'm making this shared axis rwx It's very important for if you're going to want to migrate the virtual machine from node to node It has to have the back end needs to be rewrite many Mostly because you as we get in here that when you do a migrate Basically, it has to spawn another kube launcher pod Avert launcher pod on the virtual machine. It's going to on the node. It's going to migrate to So you can hand off the storage to that other node So it basically does have to be mounted both places at once for at least a brief few seconds So we'll go ahead and click next here. Um, you can supply a cloud init payload if you want so I'm going to specify my hostname. I can drop in a ssh key if I want You can do a full blown cloud init script here if you want so This shows you what it looks like you can Again, if you're familiar with cloud init, you can pass along all sorts of things to like configure packages Run ansible if you want. Yeah, all kinds of fun stuff. Exactly. Yeah So virtual hardware, I don't have I could attach a cd rom if you wanted One thing to point out here when you're doing like windows virtual machines, it's automatically going to pull the Uh vert wing i o container image and mount that as a cd So you can do so that way you'll be able to see uh, like the storage drivers to access your disks because by default windows doesn't have a Or the old drivers installed. Yeah, yeah so So it's going to go my little review screen Asked me to confirm everything. This all looks good. So I'm going to go ahead and click start virtual machine on creation create vm And now let's go look and see what's going on on the back end. So I'm going to go over here to pods now Since I am uh supplying this as a url. It's going to run this Importer c o s disk and it had an issue scratch base required in nine pound Um That's interesting Well, it certainly didn't do that when I was testing this It looks like it's going to try to spawn it again. Um, so what that's what that's trying to scratch paste basically is that is a file system space that um allows you to pull in the the raw image or the iso or whatever and It uses that to then transform that into something that openshift virtualization can melt And it goes through and also validates that the the image is uh, you know kosher and ready to mount more or less So what we would see here is we would see through. Okay. There we go. This worked So apparently it was just a slight race condition and it didn't uh, Didn't have that scratch space ready, but you can see it went through It pulled the image in it validated it it converted it to raw and then it mounted it On my vert launcher pod which is now running And it terminated that that uh importer pod so That utilizes the um containerized data importer is what that process is called where it pulls in your image or iso or what have you So we now have a running virtual machine Just like that just like that And this is over on my zero s test vm And again, you can see it's telling us all sorts of need information about it It's telling us what node it's running on it's telling us it's pod networking ip address. We'll kind of explore that in a little bit um Selling us information about the virtual machine about the the network interfaces the disks What its current resource utilization looks like And note here again like everything else that's that's kubernetes native. Everything is defined as yaml Right, so that's all yaml all the way down. I can go ahead I can make manual edits to the same yaml if I want I can export this out Go do some edits and then spawn another virtual machine from it if I want one that's similar Um, so yeah, there's you can see like things like the cpu memory disks all this are defined as yaml So, you know, again, this this is something that's probably going to fit into like cicd pipelines and dev ops really naturally As we start exploring it more But here's the big thing you can see we have console access now. This is using vnc by default I can also switch over to like a serial console if I want for for linux vms at least right And it does do rdp for windows vms It does we'll hit that in a minute too. Yeah, but uh, I think I take that right no, I do not And you can see it got my host name that I supplied there So you ready for cloud in it? and I've got now got a prompt here so basic linux instance nothing uh too exciting but uh So yeah, that's that's how you would create a basic virtual machine And of course it can do a lot more than than just to us we can do Several different versions of windows several different versions of linux are supported Um red hat enterprise linux, of course being the the the way we want you to go But we can also do the door us into west even a bunch to uh, 1804 long term support. So We're opinionated, but we're not biased. So if you want to run a non relos here, we're certainly okay with that So The next question is You know, how do we get access to these virtual machines from the outside world? How do we ssh into a linux vm? How do we um ssa or get rdp access like you said? So we'll go over here to another project. I've got Let's go to vert demo two. I've got a couple existing virtual machines running. I got a fedora 32 In a sento s7 nice And again, you can see it tells us what node it's running on and what its ip addresses now Those are of course pod networking ip addresses. So they're not accessible from outside the open shift cluster, right? So the challenge with that is I want to get access to that And I want to be able to do it from my my workstation on the the regular office network, right? Yeah, I don't want to have to jump in the the web interface every time I need a touch of vm So this is where Serve well, and honestly, you know the the console is vnc based it's it works But it's not something I'd want to manage virtual machines through all the time It's good if you just want to do some basic troubleshooting, but yeah, I'd rather have ssh shell access myself So you can see we can utilize services here. Um, I've got a couple services defined for sshing into both my sento s and my fedora vm And what this is doing is this is creating a cluster ip address That I can then access in this case through a node port So you might be saying well, how does that work? I'm going to go here to my my terminal window And again, I'm doing this through windows because I wanted I want everybody to see that You don't need to be a Linux whiz to know how to do this, right? The oc binary the vert seed is sort of a cuddle binary. They're available for windows mac. What have you so? Um Yeah, true then go and can be cross compiled. It's great good stuff So if I take oc get bmi, I'm going to go ahead and do all namespaces too So this will show me all my virtual machines running across all my my projects with an open shift So you can see my fedora 32 vm is running on this node right here So I'm going to ssh in ssh not ddh. I don't know what that's going to do. Well, you never know. You never know It might do something. That's duplicate help. No, okay. I would have no idea what that would do So let's see actually I got a little bit ahead of myself. Let me cancel out of that Because I need to see the port oc get service And let's invert demo two Okay, so my fedora ssh port is using 30 50 at 354 so Let's see here ssh And as user fedora To that node You ever have one of those days where your fingers just don't want to do what you're telling them to do? No, that's that's Quite frequent for me It is not fun at all. Yeah when that happens Are you on a mac keyboard or something? I am some weird That really throws it off All right, so now port 30 354 You can do it. I believe in you. I can do it So again, I already had my public key. Um copied to this virtual machine So I was able to do that without supplying a password because I've got a public key on this host So yeah, I'm logging them at the door of virtual machine now um, and basically it's the same as any other uh shell instance, you know, I can do ls I can validate that my HTTP server is running Yeah, and Because I've got that HTTP service running that is normal HTTP traffic. So I can hit that through a route That I've got exposed here. So There's my hello world nice So, you know just to show there's no, uh Any business here I'll validate that that is in fact the same one You could actually drop that link into Uh Like the twitch chat if you want it or just send it to me and it's actually public to everybody. Yeah, I can do that. Yeah But I can't do it if I'm not logged in as the root user. So No permissions matter. Yeah, they do Stupid secure by default Why can't everything just be chmod c70 774 All right, so now If I go in and refresh that There you go. Hello chris. Hey, look at that So you all drop that into the chat so that if anybody else wants to see it I think about yeah, there we go. All right Questions, which chat are you dropping to them? Chris short private You see it All right, well, let me do this other one then There's two chris shorts and that's messing me up How many of you people are there? I just enough Just enough of them you could share with everyone. There's only that's just us here But yeah copy Paste there you go So, you know, that's how we would go about getting traffic into a virtual machine from the outside world Again, if you're running, you know, HTTP or HTTPS. It's not really any different than than any other pod It's when you're doing something like rdp or ssh. That requires a little bit more planning So to that end, I'm going to go over to my Vert demo project Oh, if I get out of the door virtual machine first Minor detail Minor detail. There we go. So now I'm using that so Go see get dmi There's my windows 2019 virtual machine I have running I'm going to do I'm going to use that vert cuddle command. I was talking about again. This is a binary that's available um, I want to say it's on the uh, kube-vert github if I'm remembering correctly, but Within rel we do have it exposed in a repository that you can download it from but Again for windows or mac, you're not going to be using a repository. So you can just grab that from from github So I'm going to do expose VMI Win 2019 Name is going to be win 2019 party p For my port i'm going to do the default rdp port, which is 33 89 Oh boy, and then target port I don't need to do the Target port, but I do need to do Noteport or yeah, right type is node port Okay, so So yeah, I'm going to drop the uh the blog post about the ga today in the chat for everybody So where's my new port new port new port? I might have told you the wrong thing too. No you definitely I've done this before I know you have It's just not uh, not your day It's okay though. You know what it's okay to have not have a great day on this channel. It's totally fine Type equals new port. What the heck am I doing wrong here? Order the order right to the order matter shouldn't matter port All us fails up error to when it worked right right there you go Capitalized that's uh, I should have known that I should have known that dammit There we go open shift commands of case sensitive some of them are Uh, that goes all the way down to the core kubernetes, man. I should have known that And you know, it's I should have done it. I should have known too, but yeah, oh well Yeah, like you said, it's it's been a long day. Yeah, I mean, I've been up since five so I've been going at it hardcore with kubecton. I know you got kubecton. I just I just got kids to keep me up all night Yeah, well, so that's yeah. No, that's always fun So so now I've got this windows 2019 RDP port. So that's exposing RDP on that that port Um, if I go back over to my virtual machine So windows 2019. So if I hit the console here There is my windows console the lovely default lock screen I'm going to hit my drop down here and again. I've got that same serial console option, but I've also got desktop viewer Which now brings up a little lovely window to say hey, do you want to launch the remote desktop client? This is another part of why I did this through windows because I wanted to save myself the pain of trying to access rdp through a non microsoft uh terminal services client Sure, so you can see it's going to come up. It's going to ask me for the password to log in as administrator I could change who I'm logging in as if I want and you can see It's going to answer bring up that little yeah that friendly little dialogue box saying hey This is a self-signed cert with this windows hostname. Are you sure you want to do this? And I because they don't ask me I can hit yes um, I could go in and make some changes to that rdp file as well if I want so I'll just go ahead and hit configure here and We'll let it go through it's it's um I actually gonna take a little bit because it's going through a couple different layers and adding but uh While we're waiting for that Let's see. What else did I want to show? Oh, yeah, I wanted to hit tower ansible tower before we uh before we wrapped up So you can see if I go over to My tower project Actually, I've already got it running in a tab here. No sweet See I tell you sometimes I do think ahead and actually do keep certain tabs open So, um This is ansible tower running in open shift Which is it works? It's supported if that's the way you want to go Again, if not, you can always do a jump post or whatever to get in I do have a manually defined inventory that consists only of that fedora virtual machine. I was running okay so You can see him right there. He's using the pod uh networking ip Um and since towers running as a pod it can talk to it on that without any any special precautions So I can actually run in here And I can do a basic ad hoc command Gonna do this poor thing So we're just going to go ahead and do just a simple ping just to validate that it's up I'm going to supply a credential to it. I've got my uh my private key baked in here. So I can just go ahead and run that Hit launch And it'll go through and they'll establish its connection. It's going to give me a warning that about uh python being uh the not the right version for fedora basically but That doesn't really amount to anything for what we're doing. It's just establishing the communication Let's tower running on the open shift going across the open shift network to the vert. Okay, right And there we go. So we got our response back so that works. Um So, yeah, that's that's how you would do like day two operations. You can do uh, you know, you can do your full job templates against it So if I want to secure my ssh, I can just go ahead and run that And you can see it's going to talk to that same demo inventory Uh utilizing the same uh credential nice I mean, this is open shift tower or open shift tower ansible tower to let anyone love. Yeah, you know, yep So you can see it's gathering its facts now Um, we'll be able to access those if we want. So again, the facts are going to be Something ansible is going to gather just intel about the virtual machine and the environment that it's running in so Yeah, and it's it's all an open shift It's all an open shift Or, you know, you could have your tire instance outside and do stuff with that and Exactly end open shift. However, you wanted to mix this cocktail you can Yep So this is going to go through some of the and some of this stuff is probably already been done like disabling password login I'm going to set like an ssh banner Um, a couple things like that. So yeah, disable password login was already done. So no changes there Write the basic issue.net file and Um, so on and so on so with that we're at the top of the hour here I've hit just about everything I wanted to show other than the network policies, but take my word for it. That's awesome I mean, you know, if I've got a few more minutes if you want If you got time, I'll go. I've got I can give you 15, right? Like, yeah, cool. So let's ssh back into my The door vm here If we time it right, unfortunately, we didn't get to to where that ssh banner was set There you go. There it's it's added now. I'm sorry. I just got to get out and do it again. I want to see my banner make sure it worked I like you It didn't give me oh, because this is oh, it just did. Yeah, all right. I'll let it go Yeah, I will cap at cm mod mod t just to validate that it's there Oh Oh, it's writing it right now Oh, well, there you go. Well, where's the issue.net file? You can find let's look at that There we go Authorize users be a public key only no plain text passwords. Yeah, so that's that's what my uh, my tower job is doing you can see it Says we're right here. So We know that worked at least all right, so um One thing to point out about the the networking and in open shift that the pod network IP address you see is not the actual address on the virtual machine itself They all have this 10.0.2.2 address, right? um, of course since we're using software defined networking it doesn't matter what the actual IP address of the virtual machine is The pod networking is translating everything back and forth between the different interfaces. So To things running in the podified environment, they're going to talk to it on That that pod IP address we saw right so Again, I'm going to go back out here I'm going to drop into that 0s virtual machine I created earlier Let's get a virtualization Oh wait, that's right. I put it under default Because I was stupid. Oh, yeah, that's right. I forgot to change the project. Yeah, no do it all the time Yeah, so I'm going to log in to 0s For 0s. I never know what to call it. Yeah, cloud thing. Yeah Right, so again IPa It's got the same address now Let me log back out here and we'll do those you get bmi All namespaces again just because I want to see all of their um addresses So you can see it's showing their namespace And what their IP addresses right right? So let's look at the fedora. He's 10128 4.38 Okay So if I ping that guy I'm getting a response Again to validate that there's no uh Craziness going on here. I'm going to curl that guy on that same address And you'll see that same index HTML we edited earlier right nice good stuff Now what if I don't want that to happen though? What if I want to be able to um Yeah, I don't want stuff in my default project be able to talk about anything right like right. Yeah, nobody wants that so I'm going to do a deny all Oh, oh snap So now That's right. I need to apply this to the default namespace Ha ha oc project. Oh, yeah, that'll probably break stuff. I don't think I want to do that Yeah, you you yeah, be careful with that. But I do want to go to All right, so I'm on the vert the vert demo two And now let's go look at our network policies Hmm, let me just cap that to make sure I didn't have any uh, all right. Well, let's do this the hard way so easy way maybe easy copy pasta copy paste create network policy Let's dump all this stuff out of here paste that in Okay now We go back over Do our virtual machines? Let's just do all projects so I can see them all at once cool Let's go back to my zero s guy And now let's see And now I don't have any pings going in nice I can't curl it So that's what I'd expect the whole traffic is stopped Now Maybe I do want to allow Some traffic in there like you know, that's a web server. Right. I want to be able to access the web on it, right? So this is just a matter of going in We'll go ahead and dump this guy We'll create a new policy So again, you can see this is going to allow this is going to Apply to all pods in this project and again, I could get granular. I could do like tagging there um labeling based type uh access But the the main rule here is it's going to allow traffic in on port 80 tcp Which of course is a Your typical web services port. Oh, there's rdp window by the way. Whoo so Going back over here now We're going back over to our virtual machine console in zero s rather on zero s So now again I can curl it Hey, look at that But I still can't ping it Nice So that's just a quick intro for how you can secure your workloads on container a virtualization when they're using that native pod networking And again, it's insanely insanely granular the stuff you can do using network policies and open shift Yeah, no, you can get down to like I want this label to only be able to transfer You know X amount of data per day kind of thing I think if you really wanted to meter it out and everything else you probably could string all that together But goodness, I mean, you know, like I think there's there's plenty of policy, you know, like Examples out there for folks to use and copy right like you don't have to you don't have to do that on your own Go look for some right like there's plenty of valid stuff out there. That's worthwhile and using right like you can read yaml Um, just like everybody else can so just for validate that it's good for you and your workloads and off you go Yep, and I'll say the docs actually have a good section on network policies and then there's also some stuff up on uh, the open shift, uh consulting github the red hat consulting, uh Stuff some of the things they've done for other customers. So yeah, lots of good examples to get started Cool. Awesome. Jason. Thank you very much for everything today. Yeah, I think that's all I wanted to show today. Um You know, I just want to point out. I'm wearing my containers or linux shirt And I'm a little within them to that sewer bm's now so Nice I'll see I'll see if paul could get me one officially printed up like that paul Just like that like with the with the sideways posted note. That'd be great. I would love that. That would be amazing Awesome. Yeah If you're listening still, please we need that Yeah, but I had a good time today. This was fun. Uh, thanks for having me and uh, Yeah public sector customers if you're interested in open ship virtualization talk to your reps have them ask for me and uh I'll help you figure out if your workloads are a good fit Yeah, and definitely come back uh next week for Oh come on calendar It's just one of those days how to build and scale applications with confidence using Microsoft Azure red hat open shift. That'll be cool, right? Definitely. Yeah, that'll be awesome That's actually from who's that with I'm gonna be joined by Phil cramp Yeah, sorry, sorry. Yeah. Yeah, your demo was awesome the day though. Thank you so much jason Uh, really appreciate your time Open ship virtualizations g8 today that blog post again. Uh, if you missed it, I'll drop it again and um When in doubt check the uh live streaming calendar, which I just dropped link to Again, and you too can join us and subscribe and Follow us on twitch facebook or youtube wherever you think is best for you to catch our live videos And we'll see you again out there in the streaming universe very soon Bye everybody. Bye