We live in a truly hyped era. Kubernetes, Docker, Istio, Serverless, PaaS,
Like any new
We live in a truly hyped era. Kubernetes, Docker, Istio, Serverless, PaaS,
Like any new
When I started working with VMware ESX in the early 2000, I knew it was a very cool tech; and not only me, everyone knew there’s something special about it.
However, I haven’t fully grasped the full value of this technology right of the gate, at that point, I only saw “server consolidation” in front of me.
When vMotion came out, and we realized that physics has changed for our servers, we were no longer tied to the hardware the Server was running on. That hardware abstraction allowed us to do things we couldn’t do before. like fixing hardware issues or patch it with no downtime, scale much better and faster by deploying VMs when we need them and monitor the health of the infrastructure much better, even self heal. A new exciting world of agility we never saw before was opened.
Due to the above combined with automation, the effort of managing servers has been lowered, and fewer people are needed to manage fleets of servers.
What does that has to do with Service mesh you ask?
Recently I started focusing on Service mesh, mainly Istio, testing it in the lab, learning the technology and feeling that magic again. While the technology is cool, I was trying to understand the business value that is more than buzz words like distributed, load balancing, observability etc. However, at some point, I realized that I was looking at it all wrong. I was looking for the value from a networking operations point of view, it’s only when I looked at it from a developer value when it clicked.
Service mesh is a form of virtualization
When I get excited, I let the world know, that’s why I love twitter
The service mesh abstracts non differentiating code, virtualizes it in a way. Once it's virtualized you can patch it better, scale easier and have more visibility into what's going on. pic.twitter.com/r30D43ndCe
— Niran Even-chen 🤘 (@NiranEC) December 22, 2018
I see much equivalency in Service mesh to virtualization.
In the monolithic app world, many of the different pieces of code that compile the application or service are running on a small set of servers, so making decisions about how that component interacts with other parts of the application are written in the code.
That means that for every piece of meaningful code that differentiates the business the application is servicing, need to have much non-differentiate code along with it.
Things like server and client side communication, service lookups, error detection and response, telemetry, security are taken care of in the code or middleware software.
With the rise of micro-services (and the use of containers for that purpose) each container now runs a piece of differentiating code and is a single purpose server that communicates with other services on the network. The distributed architecture and the proliferation micro-services, bring new challenges to manage, monitor and troubleshoot problems.
We replaced our monolith with micro services so that every outage could be more like a murder mystery.
— Honest Status Page (@honest_update) October 7, 2015
What service mesh and Istio does is outsourcing the non-differentiating work to the sidecars with Envoy where each k8s pod now has a proxy that is responsible for communicating with other proxies and out of the mesh. (Envoy can work with more than k8s pods, it can even work with VMs or Pivotal PAS AIs!)
Now we’ve abstracted the non-differentiating code. Similarly to the value we gained by virtualizing the hardware with the hypervisors and adding a control plane, we gain for the operations of the proxy by adding a control plane in the form of Istio (I will not go into the deeper architecture in this post, there are literally hundreds of posts about it out there)
Here is a diagram to illustrate the abstraction layers in one picture
We can apply our desired state as policies to anything that is not the core function of our software, change policies on the fly without changing our code which saves much effort spent by developers, dynamically changing the policies without changing any code, apply security and authentication to transactions and have better visibility into the application health. Self-healing becomes a real thing now.
But just like virtualization brought its own set of challenges, Service mesh is no different, which I will cover in my next post.
You can read more about the details of Istio features in this blog post: https://blogs.vmware.com/opensource/2018/10/16/service-mesh-architectures-inevitable
I think this analogy explains the subject, and the proliferation of abstraction layers brings a new set of challenges from a management point of view.
Have any thoughts on this? tweet your reply
If you’re like me, and you are spinning new nested labs left and right, you are also probably over-committing on your VMFS datastore regularly.
The issue that happened to me was that I ran out of datastore space and it crashed my NSX-T manager. Perhaps this issue can also happen for other reasons. In any case the issue manifests itself by not being able to login to the NSX-T manager where it keeps saying that the service is not ready.
When runing the command “get management-cluster status” on the NSX-T manager you may get:
Number of nodes in management cluster: UNKNOWN
Management cluster status: INITIALIZING
Number of nodes in control cluster: UNKNOWN
This problem can heppn becuse the Corfu DB in NSX-T has failed to load. In the case of running out of datastore space it almost certainly a corruption in a record in the database.
So how do we identify and resolve this issue?
Follow these steps:
security is compromised to gain more speed. Basically Intel engineers designed their CPUs to be more performant but neglected to make sure they are secure enough, and the result is that one piece of code running on an Intel CPU can read the “kernel memory” of the operating system (OS) . Think of the kernel memory as your brain’s secret thoughts, what would have happened if I gained access there? In the computer world that’s where all your passwords are for example.
The patches that are coming out for this one are on the OS side (windows, Linux etc) and they expect to slow down all Intel chip sets by 30%-50%. Yes, your computer will be slower.
Do not underestimate this problem, code and guides how to exploit this vulnerability are already surfacing. (see link below)
The second name you might hear is “Spectre”. This is a vulnerability that affects ALL cpu vendors. And the worst thing, this cannot be patched, it’s a basic design flaw and it will stay with us for at least a decade until the current HW cycle gets refreshed world wide. Fortunately this one is much harder to exploit. We will have to see how this rolls out.
Most worrisome use case besides getting the password of your grandma back accounts, is shared HW, especially in the cloud. Think of one customer who rents compute resources from the cloud and is able to read password and data of other customers running on the same HW. Maybe your bank is the victim? And this affect everyone!
That’s it, hope this helps, let me know your thoughts.
Those who wants to read more see this link https://meltdownattack.com/ read more
As for the sessions themselves, we had a nice turnout of about 220 folks in each session and the reviews were great.
Here are the recordings:
For this year’s VMworld I am going to take on the role of the Booth captain for the Virtualzing apps track booth, (YES!) I will be working with a staff of 4: Sudhir Balasubramanian, Vas Mitra, Agustin Malanco the man (Twitter – @ ) and Ryan DaWaele. such a great crew!
We are planning 2 stations this year, where station #1 is going to run the traditional demos for Business critical applications with vSphere, features like: DRS, vMotion etc and new this year with vVols and vRA.
Station #2 is new this year, we are going to have a second station solely focused on business critical apps with NSX demos. We are already working really hard on developing these demos so I don’t want to spoil it, but it is going to be epic! really cool stuff around Oracle RAC, SQL, SAP etc with really cool NSX demos. expect to be wowed.
That’s not all, I have 2 sessions this year:
A bit long of a title but captures the essence of the demo perfectly. You can see the demo as well here:
I got a question from a colleague of mine with has a very keen eye:
“I just saw the great video you made, at 0:50 second of the demo we can see the rules for the prod app
What is the meaning of rule 6? If the source is the datacenter and is broader than the App Server in rule 5, and the rule allows for ANY service, doesn’t it make rule 5 irrelevant? “
This is a great observation by Manuel with a very simple explanation which demonstrates perfectly the power of VMware NSX, can you figure out the answer?
Rule 6 makes sense, only if you know your NSX 🙂
Just being a VCDX was a long time career aspiration of mine and I am so grateful I was able to work on the second one.
Short disclaimer – Since I am a VCDX panelist I am forbidden from mentoring candidates through their VCDX process or giving out advice on the design itself, this is so that I won’t give anyone an unfair advantage. I’ll keep this post about my personal experience towards achieving the double and keep the advice about the process.
For this round I again worked with my partner from the first design Mr. Agustin Malanco (@agmalanco) where we designed a vRealize automation (vRA) on top of the previous DCV design.
When we created the DCV design (which was factious just like this one) we intentionally designed it with cloud as the next phase in mind. This is actually a recommended approach being discussed through the VCDX workshops as well, if you can create the first one planning ahead for the second do it.
That doesn’t mean it wasn’t a lot of work, hell yeah it was!
We spent nights and weekends for about 4 months, working out the design decisions, figuring out our process and installing the system to validate it and create the install guide.
So, here are a few words of advice for anyone going for double :
Storage I/O control has been available for a long time now since vSphere 4.1, if you don’t know what SIOC is you can read about it in many blogs out there, my personal favorite for anything storage is Cormac Hogan‘s blog, here is also a link to Cormac’s post about SIOC.
Some of you might have read about the new SIOC feature in vSphere 6 called IOPS reservations.
In case you didn’t let’s quickly review it, In version 5.5 VMware introduced a new scheduler call mClock, this I/O scheduler is more efficient but also it has the capability to set I/O reservations on VMDK’s. In vSphere 6 VMware added the ability to set those reservations on the VMDK level, not through the web client but by setting the “reservation” property on the VMDK, see this post by William Lam that has a nice PowerCLI script to do this for you. read more