Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Aptible Update Webinar - July 2017

Aptible Update Webinar - July 2017

The Aptible Update Webinar Series is a quarterly presentation that covers recent features and changes to the Enclave container orchestration platform and Gridiron security management tool.

We hosted our Q3 Update Webinar on July 25, 2017. In it, we covered:

- Enclave. New options for app deployment, Container Recovery, database self-service management, and upgrades to our CLI.
- Gridiron. A walkthrough of creating compliance documentation including policies and procedures using Gridiron. 

Recap: https://www.aptible.com/blog/recap-aptible-july-2017-quarterly-product-update-webinar/

Recording & Transcript: https://www.aptible.com/resources/july-2017-updates-webinar/



July 25, 2017


  1. Ap#ble Update Webinar July 2017

  2. Agenda • Enclave features and updates • Enclave Q&A •

    Gridiron demo • Gridiron Q&A
  3. Logis&cs • Use Zoom Q&A for ques0ons • Recording will

    be posted at www.ap0ble.com/blog
  4. What's new on Enclave? July 25, 2017

  5. Overview We want Enclave to be the best place to

    deploy regulated and sensi7ve projects. This quarter, we focused on DevOps capabili9es and overall feature-completeness of the pla<orm. We'll go over these in this webinar.
  6. But first: Supercronic

  7. Supercronic Supercronic is a new Ap/ble open-source project. Designed to

    solve the pain points of running tradi2onal cron in containerized environments like Enclave.
  8. Why replace tradi.onal cron? Tradi&onal cron is hard to use

    in containers: • It purges the environment... but that's where all your config is. • It redirects output... but you need it sent to stdout / stderr. • It doesn't log anything when jobs fail... but you need to know.
  9. Supercronic Supercronic is a drop-in replacement for tradi3onal cron. You

    can use it today, and it does the right thing out of the box: • Supercronic leaves your environment variables alone • Supercronic passes job output to your container's stderr • Supercronic logs job failures and 9meouts
  10. Supercronic - Tes.monials We recommended Supercronic to a few customers

    when Cron was giving them a hard 7me. Here's what they had to say: • it works, thanks ! • The Supercronic config you sent worked [...]. Thank you so much! Bo#om line: it just works!
  11. Supercronic $ cat ./my-crontab */5 * * * * *

    * echo "hello from Supercronic" $ ./supercronic ./my-crontab INFO[2017-07-10T19:40:44+02:00] read crontab: ./my-crontab INFO[2017-07-10T19:40:50+02:00] starting iteration=0 job.command="echo "hello from Supercronic"" [...] INFO[2017-07-10T19:40:50+02:00] hello from Supercronic channel=stdout iteration=0 job.command="echo "hello from Supercronic"" [...] INFO[2017-07-10T19:40:50+02:00] job succeeded iteration=0 job.command="echo "hello from Supercronic"" [...] INFO[2017-07-10T19:40:55+02:00] starting iteration=1 job.command="echo "hello from Supercronic"" [...] INFO[2017-07-10T19:40:55+02:00] hello from Supercronic channel=stdout iteration=1 job.command="echo "hello from Supercronic"" [...] INFO[2017-07-10T19:40:55+02:00] job succeeded iteration=1 job.command="echo "hello from Supercronic"" [...] Get it at github.com/ap1ble/supercronic
  12. Back to Enclave

  13. > Apps < Databases CLI

  14. Apps Agenda: • Availability • Deployment • Endpoints

  15. Apps Availability

  16. Apps > Availability Container Recovery

  17. Container Recovery Container Recovery automa0cally restarts your applica0on and database

    containers when they exit. $ cat Dockerfile # This app will echo then exit after 5 seconds FROM alpine CMD ["sh", "-c", "echo Hello from Enclave! The time is $(date). ; sleep 5"] $ aptible logs --app demo-app 2017-07-18T12:36:36.903Z [demo-app-cmd b195877e6f3b - aptible]: container has started 2017-07-18T12:36:36.956Z [demo-app-cmd b195877e6f3b]: Hello from Enclave! The time is Tue Jul 18 12:36:36 UTC 2017. 2017-07-18T12:36:41.968Z [demo-app-cmd b195877e6f3b - aptible]: container has exited 2017-07-18T12:36:49.751Z [demo-app-cmd b195877e6f3b - aptible]: container has started 2017-07-18T12:36:49.987Z [demo-app-cmd b195877e6f3b]: Hello from Enclave! The time is Tue Jul 18 12:36:49 UTC 2017. 2017-07-18T12:36:54.999Z [demo-app-cmd b195877e6f3b - aptible]: container has exited 2017-07-18T12:37:04.935Z [demo-app-cmd b195877e6f3b - aptible]: container has started 2017-07-18T12:37:05.023Z [demo-app-cmd b195877e6f3b]: Hello from Enclave! The time is Tue Jul 18 12:37:04 UTC 2017. 2017-07-18T12:37:10.036Z [demo-app-cmd b195877e6f3b - aptible]: container has exited
  18. Container Recovery App integra+on Just like Memory Management, Container Recovery

    doesn't require you to do anything to make your app compa<ble: • Container Recovery is automa2cally enabled for all apps. • Containers are automa2cally restarted from a pris2ne state.
  19. Apps Deployment

  20. Deployment 3 new features make it easier to deploy your

    apps on Enclave: • Direct Docker Image Deploy • Procfiles now op7onal • Synchronize deploys and config changes
  21. Apps > Deployment Direct Docker Image Deploy

  22. Direct Docker Image Deploy You can now deploy directly from

    a Docker image on Enclave: no git required! Use cases: • Reuse exis)ng Docker images • Full control over your build process • Reduced lock-in
  23. None
  24. None
  25. None
  26. Direct Docker Image Deploy Under the hood You could already

    deploy from a Docker Image as of a year ago, but you needed to use git to provide a Procfile. Direct Docker Image Deploy uses your image's CMD in order to define an implicit service, so you don't need a Procfile anymore.
  27. Direct Docker Image Deploy Companion Git Repositories However, if you

    need to, you can s1ll use git to provide a Procfile or .aptible.yml. Review the Direct Docker Image Deploy documenta8on for more informa8on.
  28. Apps > Deployment Procfiles are now op.onal

  29. Procfiles are now op.onal Even if you're not using Direct

    Docker Image Deploy, the Procfile is now op;onal. For Dockerfile Deploy builds, the CMD will also be used to define an implicit service when no Procfile is provided.
  30. Procfiles are now op.onal Why? • Reuse third-party Dockerfiles, etc.

    • Reuse the same codebase across Enclave and other container orchestra=on pla>orms (e.g. Kubernetes, Docker Swarm).
  31. Apps > Deployment Synchronize deploys and config changes

  32. Synchronize deploys and config changes The new aptible deploy command

    also lets you synchronize deploys and config changes.
  33. Synchronize deploys and config changes This makes rolling out such

    changes faster and easier: • No intermediary state where you're running the old code with the new config or vice versa • Only one deploy opera:on, rather than 2 or 3
  34. Synchronize deploys and config changes The old way $ aptible

    config:set MY_NEW_VAR="some value" # adds a new variable, still using the old code $ git push aptible master # deploys the new code, using the new variable $ aptible config:set MY_OLD_VAR= # removes an old variable
  35. Synchronize deploys and config changes The new way, 3 +mes

    as fast $ BRANCH="deploy-$(date "+%s")" $ git push aptible "master:$BRANCH" # does not trigger a deploy, # but the new code is available to deploy from $BRANCH $ aptible deploy \ --app "$APP_HANDLE" \ --git-commitish "$BRANCH" \ MY_NEW_VAR="some value" MY_OLD_VAR= # deploys the new code from $BRANCH, # along with the updated variables
  36. Apps Endpoints

  37. Endpoints Endpoints support more use cases than ever: • TCP

    and TLS Endpoints private beta • HTTPS Endpoints: Configurable container port • Configurable idle <meout
  38. Apps > Endpoints TCP and TLS Endpoints private beta

  39. TCP and TLS Endpoints private beta Enclave now supports non-HTTP

    apps through TCP and TLS Endpoints. Use cases: • Mirth Connect listeners for HL7 data • IOT apps
  40. TCP and TLS Endpoints private beta Endpoint type review

  41. None
  42. None
  43. None
  44. TCP and TLS Endpoints private beta Ge#ng access Currently in

    private beta: if you'd like to add a TCP or TLS Endpoint to an exis<ng app, contact Ap<ble Support.
  45. Apps > Endpoints HTTPS Endpoints: Configurable container port

  46. HTTPS Endpoints: Configurable container port Historically, HTTPS Endpoints have exposed

    a default port when you add an Endpoint: the lexicographically lowest port exposed by your container. You can now choose arbitrary ports to expose on a per-Endpoint basis.
  47. None
  48. None
  49. HTTPS Endpoints: Configurable container port Use cases: • Expose non-default

    ports. • Expose mul4ple ports for a single container (e.g. a web port and a websockets port). • Expose a management API on a different port.
  50. Apps > Endpoints Configurable idle /meout

  51. Configurable idle /meout Enclave Endpoints enforce an idle 1meout. If

    a connec)on goes quiet, it'll eventually be closed. Historically, this happened a2er 60 seconds of inac-vity.
  52. Configurable idle /meout You can now configure the idle 2meout

    for an app's Endpoints through the IDLE_TIMEOUT configura2on variable. $ aptible config:set --app "$APP_HANDLE" IDLE_TIMEOUT=1200 This is useful for apps that need to serve long-running requests that would otherwise 6meout.
  53. Enclave > Apps Q&A

  54. Apps > Databases < CLI

  55. Databases • Container Recovery also works for databases • Self-service

    scaling • Database Endpoints
  56. Databases Container Recovery

  57. Container Recovery As noted earlier, Container Recovery also applies to

    databases. Databases are monitored by the Enclave SRE team, and generally tend to crash a lot less o8en than apps. But, with Container Recovery, average 4me to recovery a6er a database crash is down to seconds.
  58. Databases Self-service scaling

  59. Self-service scaling You can now resize your databases at any

    2me, and with minimal down2me (1 to 2 minutes). Resizing lets you update the RAM and disk footprint for your database as your workload evolves.
  60. RAM Upgrades • RAM can be increased or decreased, as

    o1en as you'd like • Large RAM updates may take up to an hour to complete • Regardless, but down=me will remain < 2 minutes.
  61. Disk Upgrades • Disk can only be increased (i.e. you

    cannot shrink) • Disk resizes can happen at most once a day • You can resize RAM and Disk at the same >me
  62. None
  63. Self-service scaling CLI $ aptible db:restart demo-database --container-size 1024 --disk-size

    20 INFO -- : STARTING: Lock or provision capacity INFO -- : COMPLETED (after 0.07s): Lock or provision capacity INFO -- : STARTING: Stop database container INFO -- : COMPLETED (after 2.26s): Stop database container INFO -- : STARTING: Unmount volume INFO -- : COMPLETED (after 2.01s): Unmount volume INFO -- : STARTING: Detach volume INFO -- : COMPLETED (after 8.68s): Detach volume INFO -- : STARTING: Resize volume if needed INFO -- : COMPLETED (after 0.15s): Resize volume if needed INFO -- : STARTING: Attach volume INFO -- : COMPLETED (after 5.16s): Attach volume INFO -- : STARTING: Mount volume INFO -- : COMPLETED (after 2.01s): Mount volume INFO -- : STARTING: Launch database container INFO -- : COMPLETED (after 6.05s): Launch database container INFO -- : Database restart successful.
  64. Databases Database Endpoints

  65. Database Endpoints You can now expose your databases on the

    public internet through Database Endpoints. This lets you provide integra3on and data partners with access to your database.
  66. None
  67. Database Endpoints IP Filtering Just like App Endpoints, Database Endpoints

    support IP filtering. This lets you restrict who can access the Endpoint. We strongly encourage to it set up when using Database Endpoints.
  68. None
  69. Enclave > Databases Q&A

  70. Apps Databases > CLI <

  71. CLI • aptible ssh scriptability • Windows CLI .exe entrypoint

  72. CLI aptible ssh scriptability

  73. aptible ssh scriptability Two changes that make it easier to

    incorporate aptible ssh commands in scripts: • aptible ssh now routes stdout and stderr from your container session to stdout and stderr locally • aptible ssh is now guaranteed to exit with the same exit code your remote command exited with
  74. CLI Windows CLI .exe entrypoint

  75. Windows CLI .exe entrypoint The CLI on Windows is now

    provided as a .exe binary. It used to be provided as a .bat batch script instead. This ensures the CLI be/er integrates with Windows workflows and scripts.
  76. Enclave Q&A

  77. Security Management System (ISMS) Setup with Gridiron July 25, 2017

  78. Security Management System (ISMS) Setup with Gridiron In 4 steps

    • Ap$ble-guided implementa$on process with hands-on support and training • Determine baseline controls • Generate repor$ng and documenta$on • Con$nuous updates
  79. DEMO

  80. Pricing From $2,499/mo paid annually Contact shah@ap,ble.com for more info.

  81. Gridiron Q&A