building domain-specific paas with openshift origin: the tresor healthcare project

TRESOR

Building a domain specific PaaS

with OpenShift

OpenShift Community Day

Prague

22nd September 2013

About myself

Alexander

GrzesikHead of Development

medisite Systemhaus

Working 15 years in

software

development

Java

Software Architecture

Medical Software

[email protected]

22nd Sep 2013 Building a domain specific PaaS

with OpenShift

Topics

(1)TRESOR Project – the idea

(2)Why OpenShift

(3)TRESOR on OpenShift

(4)Customizing OpenShift

(5)Summary


with OpenShift

Chapter 1

TRESOR Project – the idea


with OpenShift

Cloud – the future ?

By David Fletcher


with OpenShift

The Cloud & Healthcare• Patient‘s medical record is especially sensitive

data. Only people involved in patient care should

have access to the information.

• Doctor‘s liability: Control who can access „their“

data

• Fast access to life-critical information

• Medical record storage requirements (10-30

years)

• Low affinity of medical persons to IT

Objections to cloud usage in healthcare


with OpenShift

TRESOR Partners


with OpenShift

TRESOR Overview

Trusted Ecosystem for Standardized and Open

cloud-based Resources

• Cloud Ecosystem for secure cloud services

– Proxy for secure communication

– Broker for procurement

– Marketplace

– PaaS Platform

• Trusted Environment for handling sensitive data

• Open Platform for developing and providing

domain specific cloud applications


with OpenShift

TRESOR Cloud Ecosystem

TRESOR PaaS

TRESOR UserTRESOR

Ecosystem

TRESOR Service Provider IaaS-Provider

TRESOR Proxy(Client)

TRESOR Proxy(Client)

IDM(i.e. Active Directory)

ClientsTRESOR Proxy

(Client)

Authentication

Service use

Authorization

Marketplace

TRESOR Proxy(Trusted 3rd Party)

TRESOR Billing

TRESOR Broker

Service Profile Repository

Client Profile Repository

TRESOR Proxy(Service)

Search, Maintain, Match

Billing

SLA M

on

itorin

g

MMV

PAI

...

Service use

DynamicServices

Man

age


with OpenShift

TRESOR Goals

CloudFlexible

SecureOpen

Extensible

OSGi based

Use of Standards

Development tools

Data Security

Encrypted Data

Secure Communication

Certified

Scalable

Reliable

High Availability

Powered by OpenShift

Fast Time-to-Market

No Vendor Lock-In

Different usage scenarios


with OpenShift

Chapter 2

Why OpenShift ?


with OpenShift

History of TRESOR

• Project Idea in 2010

• Project announced on CeBit 2011

• Project Start 03/2012

• Rapid developments in PaaS technology

• Make or Use ?

• Evaluation of available PaaS technologies


with OpenShift

PaaS Criteria

• Supported Technologies

• Open Source

• Vendor

• Community

• Scaling

• Extension

• Infrastructure (IaaS) Support

• Documentation


with OpenShift

The candidates (2012)


with OpenShift

Why OpenShift

• Supported Technologies

• Fully Open Source

• Extensibility and flexibility

• IaaS support

• Growing documentation

• Great Community

• Red Hat


with OpenShift

Starting Problems (2012)

• Problems with installation

• Constant Changes on OpenShift

• No Stable Version of Open Source project

• Documentation not up to date

• No clear Roadmap

• Some missing features


with OpenShift

One year later

• 2 Releases of OpenShift Origin

• Regular builds

• Roadmap & development process

• Improved documentation

• Community manager

• New features

– Cartridge v2

– PostgreSQL 9.2

– Web Console22nd Sep 2013 Building a domain specific PaaS

with OpenShift

Open Points

• Setup still complicated

Installation Scripts are in Progress

• Better PaaS Monitoring

On Roadmap

• Custom and Database Scaling

We are working on a solution

• Documentation misses some details

Everybody can help22nd Sep 2013 Building a domain specific PaaS

with OpenShift

Chapter 3

TRESOR on OpenShift


with OpenShift

TRESOR PaaS at a glance

Strong

Encryption

Powered

by

OpenShift

Open

Platform

Polyglot

Persistence

Modular

Architecture

6dfg4854 fgf72548 151fd545

5454sff5 44485ddf 151538fd

179hg45g 658g54d1 15414gfg

584551gh 11fghf15 154215jh

2152fgh5 14925fg1 15325sgd

78dfd15d 7654fghd 897fg21d

98dfgh2d 874dfg6d 3544sdfg

Use of

Standards


with OpenShift

OpenShift Integration

• OpenShift Origin provides runtime for

application services

• Provisioning and scaling

• Development services (Git & Jenkins)

• Use and extend PostgreSQL and

MongoDB cartridges

• Custom cartridges and plugins


with OpenShift

TRESOR on OpenShift

OSGi Application Server

Encryption ServicesAuthorization Framework

MongoDB

HSM

External IDM

PostgreSQL

User

TRESOR Ecosystem


with OpenShift

Chapter 4

Customizing OpenShift


with OpenShift

New Cartridges

• Glassfish 4

– OSGi / JavaEE Application Server

• Elastic Search

– Search and Index Engine

• OpenAM (openam.forgerock.org)

– Authentication and Authorization Services

• OSGi Bundle Repository

– Central bundle provisioning


with OpenShift

Extending OpenShift – How to start

• Use the VM Image to develop your

cartridge

– Make use of snapshots !!

• Test scripts without OpenShift

• Use DIY and CDK

• Check the documentation and logs:

/var/log/openshift

• Be patient


with OpenShift

New Cartridge – DIY

• First getting it up as DIY

• Glassfish already has a good quick start

example:

https://github.com/shekhargulati/glassfish4

-openshift-quickstart

• Cons:

– Needs to provide complete runtime

– No Scaling

– Only http port


with OpenShift

https://github.com/shekhargulati/glassfish4-openshift-quickstart

DIY Cartridge Structure - example


with OpenShift

DIY Scripts – Glassfish#!/bin/bash

# The logic to start up your application should be put in this

# script. The application will work only if it binds to

# $OPENSHIFT_INTERNAL_IP:8080

echo 'Starting Glassfish DIY...' > $OPENSHIFT_DIY_LOG_DIR/server.log

set -x

cd $OPENSHIFT_REPO_DIR/diy/glassfish4/glassfish/domains/domain1/config/

mv domain.xml domain.xml_2

sed "s/$( grep serverName domain.xml_2 | cut -d\" -f 2

)/${OPENSHIFT_DIY_IP}/g" domain.xml_2 > domain.xml

chmod u+x $OPENSHIFT_REPO_DIR/diy/glassfish4/glassfish/bin/asadmin

$OPENSHIFT_REPO_DIR/diy/glassfish4/glassfish/bin/asadmin start-domain &>

$OPENSHIFT_DIY_LOG_DIR/server.log


with OpenShift

DIY Glassfish config

• Modify domain.xml:

– Remove non http-port listeners

– Replace all hostname references with OPENSHIFT_DIY_IP

– Startup script will replace token OPENSHIFT_DIY_IP token in domain.xml


with OpenShift

Glassfish Custom Cartridge

• Starting Point: Tomcat cartridge

• Modify to:

– Download and install Glassfish 4

– Setup Glassfish cartridge

– Deployment and startup of custom domain

– Graceful shutdown


with OpenShift

Glassfish Cartridge - Structure


with OpenShift

Glassfish Cartridge – Manifest.ymlName: glassfish

Cartridge-Short-Name: GLASSFISH

Cartridge-Vendor: medisite

Cartridge-Version: 0.0.1

Display-Name: Glassfish 4

Description: "Glassfish 4 JavaEE and OSGi Server"

Version: '4.0‚

Source-Url: [email protected]/tresor/openshift-glassfish-cartridge

License: CDDL 1.1

Vendor: oracle

Categories:

- service

- java

- glassfish

- glassfish4

- web_framework

Website: http://glassfish.java.net/


with OpenShift

Glassfish Cartridge - Endpoints

Endpoints:

- Private-IP-Name: IP

Private-Port-Name: HTTP_PORT

Private-Port: 8080

Public-Port-Name: HTTP_PROXY_PORT

- Private-IP-Name: IP

Private-Port-Name: ADMIN_PORT

Private-Port: 4848

Public-Port-Name: ADMIN_PROXY_PORT


with OpenShift

Glassfish Cartridge - Setup

#!/bin/bash

SYSTEM_GLASSFISH_DIR=/var/lib/glassfish4

mkdir ${OPENSHIFT_GLASSFISH_DIR}/{config,run,logs,tmp}

# Link the system Glassfish binaries to the cart Glassfish instance

ln -s ${SYSTEM_GLASSFISH_DIR}/glassfish/bin/asadmin

${OPENSHIFT_GLASSFISH_DIR}/bin/asadmin

ln -s ${SYSTEM_GLASSFISH_DIR}/glassfish/lib

${OPENSHIFT_GLASSFISH_DIR}/lib

# Copy the default configurations to the Glassfish conf directory

cp ${OPENSHIFT_GLASSFISH_DIR}/versions/4.0/config/*

${OPENSHIFT_GLASSFISH_DIR}/config

• Handles setup of cartridge per application


with OpenShift

Glassfish Cartridge - Control

GLASSFISH_PID_FILE="${OPENSHIFT_GLASSFISH_DIR}/run/glassfish.pid„

…

function start_app() {

# Check for running app

…

# remove old deployment and redeploy

rm -r ${OPENSHIFT_GLASSFISH_DIR}/domain1

mkdir ${OPENSHIFT_GLASSFISH_DIR}/domain1

cp ${OPENSHIFT_REPO_DIR}/domain1/* ${OPENSHIFT_GLASSFISH_DIR}/domain1

cd ${OPENSHIFT_GLASSFISH_DIR}/domain1/config/

mv domain.xml domain.xml_2

sed "s/$( grep serverName domain.xml_2 | cut -d\" -f 2

)/${OPENSHIFT_GLASSFISH_IP}/g" domain.xml_2 > domain.xml

# Start domain

${OPENSHIFT_GLASSFISH_DIR}/bin/asadmin start-domain

${OPENSHIFT_GLASSFISH_DIR}/domain1 &>&2

…

ps -ef | grep glassfish | grep -v grep | awk '{print $2}' >

$GLASSFISH_PID_FILE

• Control startup and shutdown


with OpenShift

Install Cartridge

• Install Cartridge:oo-admin-cartridge -a install -s

/usr/libexec/openshift/cartridges/v2/glassfish

• Downloadable Cartridge:rhc create-app gfapp

http://git.medisite/tresor/openshift-glassfish-

cartridge/blob/master/metadata/manifest.yml

• Clear Cache:# cd /var/www/openshift/broker

# bundle exec rake tmp:clear


with OpenShift

Open Things

• Scaling

• Add database support

• Integration with build server

• Automatic deployment of OSGi Bundles

• Documentation

• Public availability


with OpenShift

Custom Scaling

• Scaling not only via request count

– Response times

– Active Users

• Service Specific Scaling

– Some Services are more critical

• Customer Specific Scaling Rules

– Customer booking of scaling options


with OpenShift

DB Replication and Scaling

• MongoDB Shard Cluster on OpenShift

• PostgreSQL Replication Set

• Automatic setup during provisioning

• Evaluate dynamic scaling options


with OpenShift

Other Extensions to OpenShift

• Provisioning Interface

• Usage Reporting

• Application Monitoring

• Encryption


with OpenShift

Chapter 5

Summary


with OpenShift

Final Target (2015)

• TRESOR PaaS will be used in two

hospitals

• Hosted in a German Telekom datacenter

• Certified according German data security

regulations

• Available as an OSGi based development

platform for healthcare applications


with OpenShift

Summary

• OpenShift allows building of custom PaaS

implementations

• Powerful extension mechanism via

cartridges and plugins

• Active community and good support

• OpenShift will be one of the major players

in PaaS area in the future

• TRESOR extends OpenShift for domain

specific usage


with OpenShift

Extending OpenShift useful links

https://www.openshift.com/developers/downl

oad-cartridges

https://github.com/smarterclayton/openshift-

cdk-cart

https://www.openshift.com/blogs/new-

openshift-cartridge-format-part-1

http://openshift.github.io/documentation/oo_

cartridge_developers_guide.html

http://cloud-mechanic.blogspot.de22nd Sep 2013 Building a domain specific PaaS

with OpenShift

https://www.openshift.com/developers/download-cartridges

https://github.com/smarterclayton/openshift-cdk-cart

https://www.openshift.com/blogs/new-openshift-cartridge-format-part-1

http://openshift.github.io/documentation/oo_cartridge_developers_guide.html

http://cloud-mechanic.blogspot.de/

Questions ?


with OpenShift

building domain-specific paas with openshift origin: the tresor healthcare project

Technology

domain specific paas

customizing openshift

paas criteria

paas technology

openshift fast time

tresor partners

history of tresor project

secure cloud services