London Developer Day 1st November

You can now register your interest to attend the London Developer Day at London South Bank University that I talked about earlier this month, follow this link to the interest registration page and you will be contacted when the site goes live later this week.

It’s promising already to have some of the leading lights in the Dev Space attending and it will be hugely beneficial to anyone looking into Cloud technologies, including OpenShift, JBoss, Gluster, OpenStack and RHEV / KVM virtualisation arenas.

Watch this space for more information !!

Security 101 for Cloud – building it right

For those of you who’ve known me or my work for the last decade or more you’ll appreciate that one of my main call to arms is security and in particular enforcement of security enforcing technologies at the gateway and application level, my little hobby (developing publishing and supporting a firewall technology which with variants based on the code) reached millions of homes, offices and enterprises across the globe and allowed me to make a career out of security.

So it’s often a question I get asked at conferences and when speaking about security in Cloud and security enforcement and responsibility in the Cloud and virtualisation arena. Fortunately at Red Hat we take security incredibly seriously and have contributed technologies such as SELinux and sVirt into our architectures and supported versions of our releases, as well as employing the mainstays in the SELinux world on our payroll to ensure that we have continuity and those folk are rewarded for their efforts.

However, to put it bluntly most architects and network  guys turn SELinux off when building out platforms and virtualised instances which is quite short sighted. When I do pose the question why a lot of responses are aligned to the fact that SELinux can sometimes due to configuration issues and past experiences where stuff broke and was hard to diagnose so easier to just turn off.

Let’s be blunt, it’s there to help you, it’s a free secure template based technology so turning it off if you haven’t got a full toolkit of other security hardening in your build schema or your platform is at best shortsighted. Did I say it was free ? In this current credit crunch culture can you justify not looking at using it ?

If you’re concerned or you struggle then enable it in permissive mode in the first instance making sure you make relevant mods to /etc/sysconfig/selinux to make it persistent on reboot. Simple boolean logic is the best way (and easiest way) to start experimenting with the functionality you want to add. Then if you want to know more then search for the audit2allow function and remember if you’re concerned with restrictive AVC denials breaking stuff then a quick search through auditd in /var/log/audit/audit.log then aureport is your friend. There are loads of howto’s available or if you’re thinking about large scale SELinux use in anger Red Hat even have a course to upgrade your RHCE to give you a complete comfort blanket in your own capabilities. It’s part of the assurance and certification mode we bring to the whole Linux piece. Belt and braces if you will.

Now this article really isn’t a security masterclass or SELinux howto, I’m actually more interested in getting to grips with culture change and trying to pass on my thoughts of how we need to get traction in influencing how protecting your assets, your data and your reputation in Cloud can take shape.

Over the last three years I’ve been using what I would describe as an almost military approach to building out legacy platforms be they physical or virtual. In days of old people might remember Jay Beale and his Bastille Linux hardening script, which was a great starting point when building simple Linux stacks. I remember vividly when he posted it to newsgroups and Slashdot picked up on it. It represented for the first time really in the Linux Open Source community someone who took a simple exercise but made it mainstream towards security as a standard rather than a retrofit. It enabled many of us to not only run it but get under the hood to find out “how” it worked. What is it they say “a little bit of knowledge is a dangerous thing ?”.

So as we move into provisioning our Cloud environments across one or multiple hypervisor types, or moving applications into hybrid or public Cloud having that “accreditation” process or controls breakdown is invaluable. Mine runs over about 5 tabs of a spreadsheet and would make most auditor feel out of a job. However maybe my way of having a moving spreadsheet of controls that I’ve built up over time for all the certifications / governances that I’ve had to deploy to (including in NATO battlefield accredited above classified environments) probably is going a bit far for standard run of the mill server environments.

So its fortunate that my friends and fellow members of the Cloud Security Alliance started many moons ago to put together an authoritative set of controls to allow you to get to work now building out your platforms or engaging with a Cloud provider regardless of the tenacity or the aggressive nature of your certification or audit model. The controls are designed to get you out the blocks building Cloud platformst that need to meet the regulations around ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. Let’s not mention SAS 70. I still, do not, and believe me I’ve tried, understand why an accounting standard has ANY place in Cloud service provision. CCM will help you there and you can also take a look at the CSA STAR programme while you’re there.

I’ve mentioned the Cloud Security Alliance before here numerous times (lets call them the CSA from now on). The CSA are one of the most critical building blocks of the Cloud community and Jim Reavis and the steering members of the CSA have made the education and communication of security best practices to the community their ethos and commitment since they were founded. Red Hat support the CSA and if you’ve heard me talk you’ll hear me mention them proudly on a regular basis. I am continually mentioning them.

Shortly I am recording an often re-arranged podcast with Jim Reavis of the CSA and we’ll get that out to to you as fast as I can mix it in the coming days and weeks.

Whether you’re playing with Cloud in your dev/test sandpit or migrating to a hybrid  cloud understanding what part reputation protection of your app dev environment and your underlying transportation of data is critical. Reputations are lost in minutes as are share prices when a company is seen as damaged by data loss. Simple breaches of major household name organisations are often met with lax fines and investigation by sovereign territory governments and information commissioners, however the risk factors involved are enormous. At the back end of the application architecture – in the trenches – are the technical guys who have to turn the dreams and aspirations of sales people and marketing types into the portals and customer facing Cloud hosted environments that will generate the revenue. If we arm you to do your job better and to do it in a way that allows generic controlled growth of your platforms and your Cloud aspirations then thats a good thing right ?

Do visit the CCM matrixes today and learn how they help you go to work in ways that will make your auditor despair. It’s kinda cool actually because auditing Cloud and typically follow the sun type datacentre clouds has always been a dark art. By following this article and my advice you can actually have a retort to this argument. Cut a huge percentage out your auditors workload (and their resulting invoice) by owning the moral upper ground and in the process maybe think about turning SELinux back on. Blended use of SELinux, sVirt, supported certifed Red Hat subscriptions and technology such as CloudForms gives you everything you need from an IaaS perspective today to go to work. If PaaS security is your thing then listen out soon to another podcast I’m going to record with Tim Kramer of the OpenShift team (in fact if you haven’t already read it go visit Tim’s great security post here).

Also I’m promised a security podcast with Mark Cox at some point in the coming month so if security is your thing you’re going to be kept busy listening to me warble down your earbuds about everything related to CloudSec. If you think that more people could benefit from a primer in Cloud security deployment and the need to think out the box then share this article – I appreciate every Twitter mention I get if it helps educate another Linux user as to how to do things better.

Then get to the CSA website and join. It costs nothing and you’ll learn a lot if you are an active participant. Tell them I sent you.

Podcast: Rhys talks Cloud

Today I am releasing part two of a podcast I recorded with Rhys Oxenham last week. In this second installment of a podcast thats proved very popular Rhys will be talking about CloudForms, some of the realworld engineering stuff we’ve been working on with partners etc.

Rhys talks about how CloudForms solves some of the end to end problems of Cloud provisioning and platform management. For you guys looking at the newly released Red Hat OpenStack Preview this could be really important for you to listen to.

I am recording two new podcasts today with Jon Masters and Duncan Doyle, Jon I’ve known for nearly twelve years and is a leading light in the ARM porting world and a longtime Red Hat stalwart. He recently gave one of the best attended and best appreciated Summit talks in Boston. Duncan and I share a common love of everything JBoss so both should be a lot of fun and I’ll bring them to you asap.

  Download part two here in MP3 format or OGG format

Gordon sets the Cloud stall out

I was about to write an article after an afternoon of hellish travel stuck on stationary trains in the back end of beyond. However the article I was about to start writing Gordon Haff my opposite number in North America just wrote one and it’s a doozie. I feel somewhat in his shadow today, I re-posted the wording he released for the OpenStack Preview launch as it did the job perfectly so this is twice in one day I’m pasting his web goodness. Mr Haff I apologise but given you are the master and I am the apprentice I think you can cut me some slack today.

Here’s an excerpt from the article, click the link below to go to the full article on his blog (which you should also bookmark or follow the link in my links section).

“As part of Red Hat’s announcement of an OpenStack technology preview today, I wrote a blog that provides some additional background. Here, I’m going to delve a bit more deeply into one of the topics that I cover in that blog–namely, how do the different pieces of Red Hat’s open hybrid cloud portfolio fit together? I’ll be referring to the below diagram throughout this discussion.”

Follow the link to his article here

Red Hat release OpenStack Preview

OpenStack Technology Preview Available from Red Hat
by: Cloud Computing Team – Written by Gordon Haff (reproduced here verbatim)

The OpenStack Infrastructure-as-a-Service (IaaS) cloud computing project, has been much in the news. April’s formation of the forthcoming OpenStack Foundation put in place a governance structure to help encourage open development and community building. Red Hat, along with AT&T, Canonical, HP, IBM, Nebula, Rackspace, and SUSE, are Platinum members of that foundation. The foundation announcement was quickly followed by a well-attended OpenStack Conference that clearly demonstrated the size and enthusiasm of the OpenStack developer community.

That’s not to say that OpenStack’s work is done. Anything but! The structure and community is now largely in place to form the foundation for development of robust OpenStack products that meet the requirements of a wide range of businesses. However, that development and work doesn’t just happen by itself.

Red Hat was actively involved in the project even before the foundation announcement; we are the #3 contributor to the current “Essex” release. This surprised some commentators given that it exceeded the contributions of vendors who had been louder about their alignment with the project. However, Red Hat’s relatively quiet involvement was fully in keeping with our focus on actual code contributions through upstream communities. With the formation of the OpenStack Foundation and its open governance policies, these contributions have only accelerated.

In parallel, we’ve also begun the task of making OpenStack suitable for enterprise deployments. This means bringing the same systematic engineering and release processes to OpenStack that Red Hat has for products such as Red Hat Enterprise Linux, Red Hat Enterprise Virtualization, Red Hat CloudForms, and JBoss Enterprise Middleware.

For example, these enterprise products have well defined lifecycles over which subscriptions can deliver specific types and levels of support. Upgrade paths between product versions are established and tested. Products have hardware certifications for leading server and storage vendors, certification and support of multiple operating systems including Windows and the experience and personnel to provide round the clock SLAs.

In short, stability, robustness, and certifications are key components of enterprise releases. The challenge—one that Red Hat has years of experience meeting—is to achieve the stability and robustness that enterprises need without sacrificing the speed of upstream innovation.

We’re now taking an important step in the development of an enterprise-ready version of OpenStack with the release of a Technology Preview. Red Hat frequently uses Technology Previews to introduce customers to new technologies that it intends to introduce as enterprise subscription products in the future.

Technology Preview features provide early access to upcoming product innovations, enabling customers to test functionality, and provide feedback during the development process. We’re doing all this because OpenStack will be an important component of Red Hat’s open, hybrid cloud architecture.

Here’s where it fits:

OpenStack is an IaaS solution that manages a hypervisor and provides cloud services to users through self-service. Perhaps the easier way to think of OpenStack, however, is that it lets an IT organization stand up a cloud that looks and acts like a cloud at a service provider. That OpenStack is focused on this public cloud-like use case shouldn’t be surprising; service provider Rackspace has been an important member of OpenStack and uses code from the project for its own public cloud offering.

This IaaS approach differs from the virtualization management offered by Red Hat Enterprise Virtualization, which is more focused on what you can think of as an enterprise use case. In other words, Red Hat Enterprise Virtualization supports typical enterprise hardware such as storage area networks and handles common enterprise virtualization feature requirements such as live migration.

Both OpenStack and Red Hat Enterprise Virtualization may manage hypervisors and offer self-service – among other features – but they’re doing so in service of different models of IT architecture and service provisioning.

Red Hat CloudForms provides open, hybrid cloud management on top of infrastructure providers.

These “cloud providers” may be an on-premise IaaS like OpenStack or a public IaaS cloud like Amazon Web Services or Rackspace. They may be a virtualization platform (not just a hypervisor) like Red Hat Enterprise Virtualization or VMware vSphere. CloudForms even plans to support physical servers as cloud providers in the future.

CloudForms allows you to build a hybrid cloud that spans those disparate resources. Equally important, though, CloudForms provides for the construction and ongoing management of applications across this hybrid infrastructure. It allows IT administrators to create Application Blueprints (for both single- and multi-tier/VM applications) that users can access from a self-service catalog and deploy across that hybrid cloud under policy.

Finally, Platform-as-a-Service (PaaS) capabilities on the infrastructure of your choice are delivered by Red Hat OpenShift PaaS. Unlike a PaaS that is limited to a specific provider, OpenShift PaaS can run on top of any appropriately provisioned infrastructure whether in a hosted or on-premise environment.

This allows organizations to not only choose to develop using the languages and frameworks of their choice but to also select the IT operational model that is most appropriate to their needs. The provisioning and ongoing management of the underlying infrastructure on which OpenShift PaaS runs is where virtualization, IaaS, and cloud management solutions come in.

OpenStack is therefore part of a portfolio of Red Hat cloud offerings which, in concert with Red Hat Enterprise Linux, JBoss Enterprise Middleware, Red Hat Storage, and other offerings, provides broad choice to customers moving to the cloud. Cloud is a major shift in the way that computing is operated and delivered. It’s not a shift that can be implemented with a single point product.

Find out more:

We’ve been working in the OpenStack community for a while now and can see its potential. Our focus has been around making OpenStack a great product for enterprises to use. Just like we did with Linux. In the future, we plan to release a commercial version of OpenStack for enterprise customers. But today, we invite you to download a preview of that product and try it out for free. Follow this link to the download site here, fill out the form (you will need a redhat.com account and if you don’t have one don’t worry we offer the option to create one).

Requirements:

Red Hat OpenStack Preview only works with Red Hat Enterprise Linux 6.3 or higher. You’ll need a Red Hat Enterprise Linux subscription for each server you install with Red Hat OpenStack.

The OpenStack Word Mark and OpenStack Logo are either registered trademarks / service marks or trademarks / service marks of OpenStack, LLC, in the United States and other countries and are used with OpenStack LLC’s permission. CloudForms and OpenShift are trademarks of Red Hat.

CloudForms – Thought Leadership in Cloud

Last week I took part in a Cloud briefing in London that really got me thinking that amongst the venerable articulate people in the room, that very few were concentrating on the actual business of Cloud ownership and adoption.

There is still a fervour, even a mark of honour, at being able to build your own Cloud, be it your private cloud constructed of a blend of your existing architecture and new plateaus of blade servers (I’m claiming that…) and virtualised components. The cold hard realisation that 2012/13 is about PaaS and starting to manipulate and deliver against deployed architecture, and if you were to do a straw poll in the room I’d put a bet that less than a third had thought about what that PaaS was going to look like. Thats a dangerous game when you’re concentrating solely on IaaS and delivering against a fixed IT budget that has seen little to no growth for the last few years. To be clear everyone in the room was at a very different stage of Cloud maturity and this is no surprise, we’re in an emerging market. The one thing everyone had in common was a goal to learn more from the experience of others – and how to do it for very little money. IT budgets are scarce and if anyone wants to tell you otherwise then I hope they’re doing it in hushed tones.

The buzz in the room is fervently OpenStack, it’s everywhere and I’m not remotely knocking it, OpenStack since day one has impressed the socks off me, not for the technology or the construct itself but mainly as it’s done one important thing. It’s continued the message of Open Source and community groundswell to Cloud. We’ve been passionate quietly but backed up with investment in funds and people in the growth and adding depth in capability and code maturity and announced in April our continued support and our intents around OpenStack itself. If you talk to Brian Stevens our CTO he’ll tell you with passion about his views around OpenStack and the fact that the momentum of Linux in the Cloud and the fact OpenStack is built around Red Hat technologies can’t be ignored.

The analysts are as always playing the angles. GigaOM yesterday had an article out looking at the prospects of OpenStack as it hits two and going some way to painting a picture that it’s all about choice. Yet it was less than two months ago that Larry Dignan of ZDNet was pegging OpenStack’s growth or emergence against the financial performance of Rackspace (which given the project is not actually aligned to it’s original founding fathers) was somewhat confusing. Rackspace are a great organisation who just like Dell or IBM, and many organisations outside of IT but with a reliance on open source components and technologies have given back and made public a release of code that the rest of the world can then contribute to, and benefit from.

So let’s take CloudForms – our latest release from the Cloud Business Unit at Red Hat. CloudForms as we’ve described before in detail is a number of specific Open Source projects that are polished and supported by Red Hat and grouped together under an umbrella project – CloudForms. At the very heart of this being Deltacloud which we released to the Apache Incubator almost three years ago for use globally as an interoperability abstraction layer.

With CloudForms you then can add application control across multiple Cloud infrastructures. Think of this in enterprise terms as being able to have mature application lifecycle across heterogeneous and disparate cloud infrastructures. So if you’re needing to deploy a patch within a change control window to an application as you would locally in a datacentre but that application also runs in your public or open hybrid Cloud environments remotely to treat it exactly the same.

So with OpenStack CloudForms becomes absolutely mission critical. Imagine you have your list of exposed cloud fabric encompassing your AWS environment maybe a smattering of VMWare instances, and an OpenStack build. Imagine having the ability to just treat OpenStack as another target cloud to be able to manage and deploy against. CloudForms then gives you the concerted ability to stand up and manage OpenStack locally in your datacentre, remotely at a service provider or public datacentre and to manage it very much as part of your own infrastructure. To be able to demonstrate governance to be able to do this now, and to own your lifecycle to Cloud not just from IaaS but thinking about your cost base and your internal policies and application adolescence.

As I started to explain OpenShift and CloudForms last week to the delegates in the room the delegates there didn’t need a lot of explaining, that only happens when you have good code married with thought leadership. When people you’ve known five minutes start finishing your sentences and get animated you know you’re onto something special.

You’re going to hear a lot about CloudForms, and you should be aware what it does – and what it potentially means to you, regardless of your cloud architecture.

Now if you’ve got this far I’d like you to take just over five and a half minutes of your day to watch a video we’ve released just before Summit on CloudForms which should if the magic works be embedded at the base of this post (if it doesn’t please visit the link here)

If you can stand up with conviction and talk openly about getting to Cloud and to get past the hype to enable your users, developers and customers to get there safely and in a way that fits their enterprise ambitions then thats got to be a good thing. Whilst Cloud allows us to be dynamic and flexible in our use of resources and technologies it needs a belts and braces approach to management and configuration / change / governance at the earliest opportunity to underwrite ambition. If you’re serious about Cloud and you aren’t already looking at CloudForms then maybe you should be.

I’m attending the first OpenStack meetup in London on 25th July. If you’d like to meet up fill out the form and register, and I’ll see you there.

CloudForms takes to the skies

I’ve talked about it on here for the last few weeks and finally launch time arrives !
CloudForms is now announced as available as part of our Cloud portfolio. I will be talking more about this tomorrow and Friday.

Automation and efficiency for Cloud but for hybrid heterogeneous architectures, solving enterprise complexities – using your choice of virtualisation technologies and providers. It’s what Cloud’s been waiting for.

More information here – and if you register you can watch the webcast from today’s earlier launch, or download the slidedeck from this site. I wholeheartedly recommend you watch the webcast as Bryan talks direct to end users on the power of CloudForms and the benefit to end users and developers who don’t need or want to know about underlying governance but to go to work more efficiently,  provisioning clouds faster and with more ability to harness the best of what you already have.

As I am on leave and not supposed to be working I’m in the meantime going to point you at Gordon Haff’s great article he posted this afternoon which talks even more about why this launch is a line in the sand for Cloud – read more on his blog here and if you look in my links section you’ll see that I link to it and it’s worth bookmarking and following his RSS feeds. He has some cracking articles and has a deep insight into Cloud within Red Hat and North American regions compared to my EMEA approach.