ibm secure service container for ibm cloud private · continuous delivery for releases app catalog...
TRANSCRIPT
1
IBM Secure Service Container for IBM Cloud Private
Norsk Dataförening
Februari 7th , 2018
2
Agenda
IBM Cloud Private (ICP) overview
Secure Service Container (SSC) Overview
z/OS Cloud Broker for ICP
IBM Cloud / © 2018 IBM Corporation3
AppMod use case “unlocked” by Private Cloud
Cloud NativeTraditional
Cloud
ServicesTraditional
Cloud
Native
AppMod
Private
Cloud
before
now
4
IBM Cloud Private overview
IBM Cloud Private: Overview
IBM Cloud Private – Key Attributes
Kubernetes based container orchestration platform
Cloud Foundry runtimes to support business logic
DevOps & tools to build your own Microservices
Extend for Watson, IoT, Weather Company APIs
Integrated stack, Continuous Delivery for
releases
App Catalog for IBM, OSS, imported & custom apps; runtimes and integration
services
Build & manage APIs to integrate services and data
Runs on existing IaaS, Infrastructure automation
Containerized IBM Middleware, Data Stores & Analytics (WAS, MQ, IIB,
DB2, Cloudant, DSX)
Reference Architectures, best practices & prescriptive guidance to run workloads
Self-managed with new IBM S&S model
Core operational services, open source monitoring,
logs & security tools
Automated provisioning
Integrate with existing service management
Innovation Integration Investment Protection
Management and Compliance
Enterprise grade. Open by design.© 2018 IBM Corporation 6
7
Microservices & Cloud Native Apps
Infrastructure oriented:
⚫ coming from servers, now virtualized
⚫ several applications per server
⚫ isolation
Service oriented:
⚫ application-centric
⚫ solution decomposed
⚫ DevOps
⚫ Microservices (app. Logic)
A quick review of what is different from a virtual machine ?
Virtual machine separation between
tenants
Virtualization management for
infrastructure Isolation
Containers within one tenant
Container efficiency
Docker management and ecosystem
IBM Cloud Private – What it Takes
• Bring your own IaaS
• ICP only needs Linux VMs (RHEL/SLES/Ubuntu) and has no other pre-req
• Hypervisor agnostic
• No special Z skills needed
• ICP installation is easier than other vendors offering similar product
• or choose Secure Service Container Appliance
© 2018 IBM Corporation
10
IBM Cloud Private – Major Components
11
So Much Open Source … Why Not Build my own then ?
Elk Galera
Jenkins
Open Liberty
LDAP
Njinx
Web Terminal Mongo DB
Redis
RabbitMQ
• Over 50 OS Services and
Technologies to stitch together
• Many to Many Interfaces to
maintain
• Regular changes to versions and
APIs (at least every 2 to 3 months)
• HA/DR ,Security & management
frameworks for production at
scale need to be developed
• Need to participate in OS
communities for support
• Almost Impossible to get a
consistent support Model and
handle dependencies
IBM is heavily invested in OS and a major contributor to the OS communities
Why IBM Cloud Private
• Rapid development and deployment:
– Minutes or hours vs. days or weeks, huge catalogue of OS and IBM Services , advanced Analytics and Machine learning options …
– Non-disruptive upgrade of platform integrated with enterprise network, storage, security, performance and production needs
– Enablement of new and existing developers & integration with existing Dev/Sec/Ops tools
• Investment leverage:
– Infrastructure choice and complete portability
– Leverage existing applications and skills while reducing TCO
– Open community-based platforms for choice and flexibility, on- and off-premises
– No Vendor lock in !
• Application modernization:
– Modernization and optimization across multi-cloud environments – Develop Once, deploy anywhere
– Reduced risk by running applications on enterprise-grade software & data platforms optimized for cloud
• Differentiated enterprise integration:
– Set of new services available on-premises, complemented with public cloud services (Watson)
– Integration of applications with services for operational simplicity and reduced cost
– Integrated cloud management solutions to automatically provision and govern multi -cloud environments with speed and control , Coupled with IBM’s expertise & Services 1212
• Multiarch now fully implemented in Docker since
version 1.12 and beyond
• Manifest List has pointers to each of the
architecture specific containers that have been
compiled for an application
• Docker Engines and Registry sort out which
image to send based on Manifest list and arch
tags
• Docker user experience (CLI, REST API) is
identical across platforms
• Docker Calling Convention identical across
platforms if you use the manifest name instead
of the container name
• Developers need to start using this now to see
the benefits
Multi-architecture Enablement in Docker
Containers are great but … can lead into lack of control & chaos
Regain control with Containers and Kubernetes
• Organize and Govern the Container Chaos
Kubernetes – (Κυβερνήτης - Captain in Greek)
What do Kubernetes really offer ?
Secret and
configuration
management
Horizontal Scaling
Service Discovery
and Load
Balancing
Self Healing
Intelligent
Scheduling
Automated rollout
and rollback
Automatically places containers based on their resource requirements and other constraints, while not
sacrificing availability. Mix critical and best-effort workloads in order to drive up utilization and save
even more resources.
Restarts containers that fail, replaces and reschedules containers when nodes die, kills containers
that don't respond to your user-defined health check, and doesn't advertise them to clients until they
are ready to serve.
Scale your application up and down with a simple command, with a UI, or automatically based on
CPU usage.
No need to modify your application to use an unfamiliar service discovery mechanism. Kubernetes
gives containers their own IP addresses and a single DNS name for a set of containers, and can load-
balance across them.
Kubernetes progressively rolls out changes to your application, while monitoring application health to
ensure it doesn't kill all your instances at the same time. If something goes wrong, Kubernetes will
rollback the change for you. Take advantage of a growing ecosystem of deployment solutions.
Deploy and update secrets and application configuration without rebuilding your image and without
exposing secrets in your stack configuration.
17
IBM Cloud Private – Basic Architecture
18
IBM Cloud Private – Catalog
Helm Chart – a package manager for k8s that allows for seamless deployment of containers through a set of commands,
helm deploy, helm rollback, helm upgrade, helm delete
19
IBM Cloud Private – Detailed Architecture
21
IBM Cloud Private – Cloud Automation Manager
IBM Software and Open Source Ecosystem for ICP on Linux on IBM Z / LinuxONE
Application Category Software Supported
Data Services
IBM Db2 Direct Advanced Edition 11.1 with Data Server Manager
IBM Db2 Advanced Enterprise Server Ed. 11.1 with Data Server Manager
IBM Db2 Warehouse Enterprise 2.0
MongoDB (open source)
PostgreSQL (open source)
MariaDB (open source)
Data Science and Business Analytics
IBM Data Science Experience Local 1.1
Toolchains & Runtimes
IBM Urban Code Deploy
Microclimate 18.03 (free tooling; no committed date)
Jenkins (open source)
IBM WebSphere Liberty 17.0.0.4, 18.0.0.x
[IBM SDK for] Node.js V6, V8
Open Liberty (open source)
Swift runtime (open source)
Modernization Tools IBM Transformation Advisor 1.5.1 (free tooling)
MessagingIBM MQ Advanced 9.0 & v.next
Rabbit MQ (open source)
Digital Business Automation IBM Operational Decision Manager 8.9.2
Roadmap includes Commercial Editions available for purchase unless otherwise noted as (i.e. open source)Catalog content is not distributed with IBM Cloud Private. Content is distributed separately, licensed under separate terms and conditions.
ICP workloads planned to be supported on Linux on IBM Z / LinuxONE by end of 2018*
Descriptions of applications supported on IBM Cloud Private v3.1.1
Get IBM software @ Passport Advantage
ICP Cloud Native [ICp 3.1 Managed-to-Z]
• Core services (minimum required for worker node)
• Kubernetes, Helm Catalog, Node.js. WAS Liberty
Operating Systems Supported
• RHEL
• Ubuntu
• SLES Worker nodes for ICP
• x86 Management nodes
• Current: user to get Docker package from SuSE
*All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
NOTE: This is a current snapshot of available workloads; the list of supported workloads will continue to grow over time
22
A heterogeneous environment across Intel, Power, IBM Z and public cloud
• Uses 100% unmodified upstream
Kubernetes
• Zero vendor lock-in
• Includes zOS deployment options
I• IBM Cloud Private (ICP) is an untethered Platform as a Service that combines the speed, agility and flexibility of the
public cloud, with the security and performance guarantees of an on-premises cloud.
• ICP provides a core platform runtime based on Kubernetes and common services like logging, metering, auditing, user
access control etc. along with a rich catalog of IBM and open-source products.
DB2
z/OS
IBM Z / LinuxONE
z/VM
CICS
z/OSMF
KVM
zOS
Connect
ICP Master
ICP
VMWare etc.PowerVM etc.
Power Intel
Linux Linux LinuxLinux Linux
service
Public
Cloud
serviceserviceserviceservice service
Value of ICP and Containers on z
• Unique modernization tooling specialized for z
• Consumable Security with Secure Service Container technology
• Performance at Scale
• Extreme Virtualization and Container Density
The world’s premier Linux system for
highly secured data serving
Engineered for performance and
scale
ICP on z enables a cost effective Cloud Consumption Model for Secure and Scalable Data and Application Serving in your cloud
© 2018 IBM Corporation
Throughput at SLA test results
27IBM Z Spotlight 19July2018 / IBM CPO / © 2018 IBM Corporation
Production SLA calculated to be:
500 virtual users
30 ms response time
At production-level SLA:
IBM Z / LinuxONE generated 4.6x more throughput
than the x86 servers
IBM Z / LinuxONE used 6 CPUs compared to 9 on x86
– or 33% less CPUs
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
x86 IBM Z / LinuxONE
Thro
ughput
(tp
s)
16,186
3,488
4.6x
This is an IBM internal study of IBM Cloud Private solution designed to replicate a typical IBM customer workload usage in the marketplace. The results were obtained under laboratory conditions, and not in an actual customer environment. IBM's internal workload studies are not benchmark applications, nor are they based on any benchmark standard. As such, customer
applications, differences in the stack deployed, and other systems variations or testing conditions may produce different results and may vary based on actual configuration, applications, specific queries and other variables in a production environment. Prices, where applicable, are based on published US list prices for both IBM and competitor, and the cost calculation compares
the cost per request for the 3yr life of the machine. 3 year total cost of acquisition comparisons are based on similar expected hardware, software, service & support offerings
Try IBM Cloud Private today!
282828
Guided and Proof of
Technology demos
Free Community Edition!
https://www.ibm.com/cloud/garage/dte/tutorial/ibm-cloud-private-hosted-trial
29
Secure Service Container Technology Overview
Secure Service Container for IBM Cloud Private
30
Value PropositionEnable organizations to manage Hybrid Cloud IT
infrastructure without visibility to end user applications and customer data
❑ Protects data and applications against misuse of privileged HW/OS admin credentials – for internal & external threats
❑ Simplified solution deployment via Secure Service Container appliance foundation
❑ Supports the IBM Cloud Private / container management tooling used across IBM Systems platforms (IBM Z / LinuxONE, POWER, x86)
Offering Availability and Co-Requisites❑ Announce: October 2nd, 2018 || GA: Mid – 4Q2018*❑ IBM Cloud Private for IBM Z / IBM LinuxONE❑ HW FC 0104: Competitive Linux OS Entitlement and Support❑ Application Development: Docker / Kubernetes & Helm charts
Securely hosts IBM Cloud Private Docker / Kubernetes (k8s) based solutions on IBM Z or LinuxONE Private and Hybrid
cloud deployments
*All statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
What is the IBM Secure Service Container?
▪ IBM Secure Service Container
provides the base infrastructure for
an integration of operating system,
middleware and software
components into an appliance, which
works autonomously and provides
core services and infrastructure
focusing on consumability and
security.
SecurityEasy to
Deploy
Easy to
Manage
31IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
Values of Secure Service Container
SecurityEasy toDeploy
Easy toManage
Values: Easy to deploy
− Deployment of a solution instead ofdifferent components
− Deployment without Operating Systemskills needed
− Deployment without solution skills needed
− Only 10 minutes needed to deploy the solution
− Deployment via a web installer
→ enable IBM Z for the cloud
SecurityEasy toDeploy
Easy toManage
Values: Easy to manage
− Management of the appliance without Operating System skills
− Limited variance of settings
− RESTful APIs for automation
− UI for better user experience
SecurityEasy toDeploy
Easy toManage
Values: Security
− System Admins don’t need to be trusted
− The solution leverages security featureswithout code changes
− The Secure Service Container only boots untampered appliances
− Data and code is encrypted in flight and at rest
− The System Admin can not access the memory or processor state
− No direct host or OS level interaction
− Only well-defined interfaces into and out of the appliance
− EAL5+ LPAR isolation for near ‘air gap’ separation of appliance environments on a single server footprint
Easy toDeploy
Easy toManage
Security
Values
− Protection from misuse of privileged user
credentials
− The solution leverages security features
without code changes
− Secure Service Container only boots
untampered appliances
− Data and code is encrypted in flight and at rest
− System Admin can not access the memory or
processor state
− EAL5+ LPAR isolation for near ‘air-gap’
separation of appliance environments on a
single server footprint
− No direct host or OS level interaction
− Only well-defined interfaces into and out of the appliance
Easy to
Deploy
Easy to
Manage
Security
36
IBM Secure Service Container Appliance Concept
Management Backend
Base Operating System
Application Interfaces
Solution / Application
Ma
na
ge
me
nt
UI
/ R
ES
T A
PIIBM Secure Service Container
Appliance
© 2018 IBM Corporation 37
IBM Secure Service Container Docker Enablement
Management Backend
Base Operating System
Application Interfaces
Docker Enablement
Ma
na
ge
me
nt
UI
/ R
ES
T A
PIIBM Secure Service Container
Appliance
IBM Secure Service Container: VM Isolation of Containers
40
Secure Service Container for IBM Cloud Private Solution Components
FULL STACK SOLUTION
A software appliance based on the IBM Secure Service Container framework that can host dockerized workloads with focus on superior data security in the cloud and on-premise.
Hosts ICP Kubernetes (k8s) worker and proxy node clusters to host containerized applications and delivers delivering VM level isolation to the applications
Deploys the ICP worker and proxy nodes (and later Master Node for IBM Z) into the VMs of the Secure Service Container for ICP Isolated VM image
CLI TOOL
ISOLATED VM FOR ICP
HOSTING APPLIANCE
IBM SECURE SERVICE CONTAINER FOR IBM CLOUD PRIVATE
IBM Cloud Private (ICP)
IBM Z or LinuxONE Server
Sa
aS
Pa
aS
Iaa
S
Middleware / Services
IBM
Off
ere
d
Mid
dle
wa
re
an
d S
erv
ice
s
IBM Secure Service Container for IBM Cloud Private
FC 0104 Container Hosting Foundation
3rd
pa
rty
IS
V
Ap
pli
ca
tio
ns
Cu
sto
me
r H
om
eg
row
n
Ap
pli
ca
tio
ns
41
Differentiation: Security and Deployment
Encrypted Diagnostic Data (ex: Debug Dump Logs)• First Failure Data Capture – data required to fix problem• Dump targets host kernel data (log message buffers, etc.)• Dump data encrypted – only accessible by service teams• Alternative to memory display alter – minimal access to customer data
Avoid management of low level execution environment• Appliance encapsulates operating system, virtualization layer,
management UI, REST API interface components • Agile CI/CD update flow of Secure Service Container for ICP
platform for feature enhancements, security fixes (CVEs), etc. • Avoid lifecycle management of individual components
Hybrid & Private Cloud Administrators• Focus on deployment of k8s cluster to ICP worker / proxy nodes
as infrastructure for containerized workloads
Solution Developers• Focus on building containerized applications
Software Appliance Form Factor for Simplified Deployment and Management
Protection from Misuse of Privileged Hardware & Operating System Credentials
ApplianceAutomatic File System Encryption (LUKS) – Data at Rest• Encryption keys stored within appliance, not accessible• Key Management via appliance life cycle export/import• Docker container data connected to disk also encrypted
Storage Admin
Operating SystemAdmin
System / Hardware Admin
Network Admin
Automatic Network Encryption (TLS) – Data in Flight• Encrypted management REST API interfaces (i.e. storage,
network configuration data, dumps, etc.)
No Operating System Access• No direct Host or OS level interaction - SSH Disabled• Prevent user traditionally with host OS access from having
visibility to application or customer data
Infrastructure management organizations can manage the physical IT infrastructure without having visibility to their end users’ applications and
customer data
On IBM CloudOn-
Premises
⚫ IBM z/VSE ® Network
Appliance (VNA)
⚫ The IBM z Advanced Workload
Analysis Reporter (IBM zAware)
Software Appliance
⚫ IBM Secure Service Container
for IBM Cloud Private
⚫ IBM Blockchain Platform
⚫ IBM Cloud Hyper Protect DbaaS**
⚫ IBM Cloud Hyper Protect
Containers***
⚫ IBM Cloud Hyper Protect Crypto
Services**
* upcoming solution ** experimental service *** early program
Offerings & SSC(as of 5th of October 2018)
IBM Db2 Analytics AcceleratorDelivers high-speed processing for complex Db2 queries to support business-critical reporting and analytic workloads
https://www.idug.org/p/bl/et/blogaid=767
”Docker enablement”
Why run Secure Service Container
Integrated Crypto Hardware
In-core hardware-accelerated encryption that is 2x – 7x as fast as x86
True Random Number Generator (TRNG)
PCIe Hardware Security Module (IBM Crypto Express6S) designed to meet FIPS 140-2 Level 4
Broadly protect Linux file systems using policy controlled encryption that is transparent to applications and databasesData Encryption
Protect network traffic using standards-based encryption from end-to-end
Hardware-accelerated network encryption algorithms (e.g. SSL/TLS, VPN/IPSec, etc.)
Network Encryption
The IBM Enterprise Key Management Foundation (EKMF) provides real-time, centralized secure management of keys and certificates
Key Encryption & Management
Protects against falsifying or altering time informationTime Source Security
Workload Isolation Tamper-proof firmware also provides highest level of multitenant workload isolation
44IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
z/OS Cloud Broker for ICP
A heterogeneous environment across Intel, Power, IBM Z and public cloud
• Uses 100% unmodified upstream
Kubernetes
• Zero vendor lock-in
• Includes zOS deployment options
I• IBM Cloud Private (ICP) is an untethered Platform as a Service that combines the speed, agility and flexibility of the
public cloud, with the security and performance guarantees of an on-premises cloud.
• ICP provides a core platform runtime based on Kubernetes and common services like logging, metering, auditing, user
access control etc. along with a rich catalog of IBM and open-source products.
DB2
z/OS
IBM Z / LinuxONE
z/VM
CICS
z/OSMF
KVM
zOS
Connect
ICP Master
ICP
VMWare etc.PowerVM etc.
Power Intel
Linux Linux LinuxLinux Linux
service
Public
Cloud
serviceserviceserviceservice service
Provisioning
© Copyright IBM Corporation 2018
z/OSMF
{rest}
AP
I
IBM Cloud Private
Helm charts
Db2 subsystem IMSDb2 Schema CICS
Tomcat Jenkins Liberty other…
TemplateTemplate
cics54_DEMOPLX
workflowsvariables
JCLs
REXX
rest-callz/OS
Cloud
Brokerimport
TemplateAny rest clientCloud portalDevOps pipeline
provision
Linux or Linux on Power OpenShift (optional)
provision
provision
z/OS Cloud Connect Planned Subsystem Support
Services Description
DB2 Services to provision/de-provision DB2 subsystems, schemas, and databases + snapshot / restore
(new)
CICS Services to provision/de-provision CICS regions
IMS Services to provision/de-provision IMS TM/DB systems and IMS FastPath databases
MQ Services to provision/de--provision MQ Queue Manager subsystem and load messages
WAS WLP server provisioning (with option to connect to Db2 data source with type 2 or type 4
connectivity)
z/OS Connect Services to provision/de-provision z/OS Connect (new)
51IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
52IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
Questions?
References
53IBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
Docker / Kubernetes (k8s) / Container Technology Guides
• Basic Docker Information: YouTube Video
• How to Build Docker Containers (run on s390x and reference
s390x images): Dockerfile and Builder
• Hands-on Kubernetes (k8s) course: Sandbox Environment
Available Docker Images for IBM Z and LinuxONE
• IBM Commercial Offerings available in Docker Images: IBM Z
Commercial
• Officially supported Docker images: Docker Store (s390x)
• Community Edition Docker images: Docker Hub (s390x)
IBM Cloud Private, Kubernetes
• IBM Cloud Private v2.1.0* Documentation
• IBM Cloud Private Components
• Managing Helm repositories
• Configuring LDAP connection
• Monitoring the platform
• IBM Cloud Private Channel Technical Enablement Guide
• IBM Cloud Private Foundational Technology Skills
• IBM Cloud Private Featured IBM Applications
• IBM Skills Gateway Kubernetes Skills References
• IBM Cloud Private v2.1.0.3 Community Edition Download
IBM Z and LinuxONE with Docker
• FAQ: Docker and IBM Z
• IBM Knowledge Center (DEV): Running Docker Containers on IBM Z
• A Developer’s Blog for Docker on IBM Z:
http://containerz.blogspot.com/
• Multi-Architecture Support for Docker Images: Blog, Video
IBM Secure Service Container
• IBM Secure Service Container User’s Guide (DEV): Secure Service
Container User’s Guide
• IBM Systems Magazine: Secure Service Containers are a Virtual
Appliance Framework for Sensitive Workloads
Glossary
54
▪ Appliance – a binary image that combines an operating system, security features, middleware, and management function
▪ CLI Tool – Command Line Interface Tool that (1) Creates ICP Cluster, including Create / Delete / Restart Cluster VMs; connects IBM Cloud Private base framework to
cluster VM (2) Enables communication between IBM Cloud Private base Framework and Secure Service Container for ICP (3) Provides lifecycle management i.e.
bundle / wrap / integrate REST API calls to be made from IBM Cloud Private base Framework going to Secure Service Container for ICP; optional if wrapper is
automated on tool, can provide IBM Cloud Private with Same feel as on x86; resides in IBM Cloud Private base framework
▪ Cluster VM – Docker image that hosts ICP worker nodes; instantiated into Secure Service Container for ICP appliance by REST API calls from the CLI tool
▪ Helm Chart – a package manager for k8s that allows for seamless deployment of containers through a set of commands, helm deploy, helm rollback, helm upgrade,
helm delete
▪ Hybrid Cluster – worker nodes exist on x86 (or POWER) and IBM Z / LinuxONE servers; note the attack vector includes the ICP master node and every worker node
on x86 belonging to that cluster
▪ IBM Cloud Private – Kubernetes-based, docker-container, open platform with PaaS and developer services; (aka ICP)
▪ ICP Cluster – an instance of managed ICP Worker, Proxy, and Master nodes. Can also be referred to as k8s cluster.
▪ ICP Installer – brings up ICP worker and ICP proxy on Secure Service Container for ICP appliance
▪ ICP Master Node – management node for IBM Cloud Private. 1 to 1 ratio to a ICP cluster. For current state of 1 ICP cluster with 1 master running on x86 or
POWER, where worker node(s) can run on Z / LinuxONE, the workers belong to the same cluster (k8s); stage 1, runs on x86 or POWER; controls deploys manages
detects issues and provides automatic correct on worker ndoes running across all tehse different platforms and systems
▪ ICP Worker Node – hosts k8s managed Docker containers of an application
▪ User with Privileged Credentials – Has elevated or privileged credentials that would traditionally give them access to data and code running in a partition, even if not
required by their job function. Secure Service Container protects against erroneous or malicious use of those privileged credentials
▪ SSH Key – Utilized by Cloud Admin as part of issued REST API calls to enable the ICP master (on x86/POWER) to start ICP worker nodes (on IBM Z / LinuxONE)
▪ Tenant – an instance of a workload
▪ Team – group of people with access to running workload, tenant, or organization
▪ User with NON-Privileged Credentials– Has visibility to the data and application running inside Secure Service Container per job function (need to know); trust that
they will not use their visibility to maliciously or erroneously access the contents of the Secure Service ContainerIBM Confidential Until Announce / IBM Z & IBM LinuxONE / © 2018 IBM Corporation
NOTE: support for x86 hosted ICP master node is planned for GA; POWER hosted ICP master node is TBD and under investigation