@CRuepprich ruepprich.com
Intro To Oracle Cloud Infrastructure
Christoph Rüpprich
@CRuepprich ruepprich.com
0
50
100
150
200
250
300
2017 2018 2019 2020 2021
Cloud Service Revenue Forecast (Billions of US Dollars)
https://www.gartner.com/en/newsroom/press-releases/2018-09-12-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-17-percent-in-2019
$ 278
@CRuepprich ruepprich.com
What is The Cloud?
Cloud computing metaphor: the group of networked elements providing services need not be individually addressed or managed by users…
…shared pools of configurable computer system resources and higher-level services that can be rapidly provisioned with minimal management effort…
… relies on sharing of resources to achieve coherence and economies of scale, similar to a public utility.
https://en.wikipedia.org/wiki/Cloud_computing
@CRuepprich ruepprich.com
OCI vs OC Classic
• Announced in 2014
• VMs Only
• Many Regions
• Many services
OCI Classic (formerly OPC) OCI
• Announced in 2017
• VM,Bare Metal,Exadata
• US, Canada & Europe (currently)
• Autoscaling
@CRuepprich ruepprich.com
Cloud Infrastructure
• Highly available hosted environment
• High performance compute capabilities (incl. physical hardware instances)
• Virtual networking
What?
• Exadata / RAC
@CRuepprich ruepprich.com
Cloud Infrastructure
• Low maintenance
• Quick provisioning, deployment, teardown(esp. with IaC - Infrastructure as Code)
• High performance
• High availability
Why?
https://cloud.oracle.com/en_US/cloud-infrastructure
@CRuepprich ruepprich.com
Cloud Infrastructure
https://cloud.oracle.com/en_US/cloud-infrastructure
@CRuepprich ruepprich.com
Cloud Terminology
• SaaS - Software as a Service -> think Gmail
• PaaS - Platform as a Service -> think database
• IaaS - Infrastructure as a Service -> think blank server
@CRuepprich ruepprich.com
Source: BMC - http://bit.ly/2JuddwH
@CRuepprich ruepprich.com
Terminology
• Tenancy: Cloud account of your organization
• Region: Geographic location
• Availability Domain: Datacenter within a regionIsolated, Fault Tolerant, No shared resources (power,cooling, etc)ADs connected by low latency, high bandwidth networks
• Compartment: Logical workspace
@CRuepprich ruepprich.com
Region
AvailabilityDomain 1
AvailabilityDomain 2
AvailabilityDomain 3
•High Availability •Disaster Recovery
•Fault Tolerant •Low Latency •High Bandwidth
@CRuepprich ruepprich.com
Availability DomainAvailability Domain 1
Instances Networks
Databases
Datacenter
@CRuepprich ruepprich.com
Fault DomainsAvailability Domain 1
Datacenter
Fault Domain 1
Fault Domain 2
Fault Domain 3
@CRuepprich ruepprich.com
OCI Services
• Identity Management
• Network
• Load Balancing
• Compute
• Database
• File Storage
• Object Storage
• Container Engine (Kubernetes)
• Developer Tools (CLI,SDKs,APIs)
• …and more…
@CRuepprich ruepprich.com
Users, Groups Policies
• User: Any individual
• Group: Set of users
• Policy: Actions group members can perform in which compartments.
Defined at Tenancy Level
@CRuepprich ruepprich.com
PoliciesPolicies consist of one or more policy statements
Allow group <group_name> to <verb> <resource-type> in compartment <compartment_name>
Allow group HelpDesk to manage users in tenancy
Allow group A-Admins to manage all-resources in compartment Project-A
https://blogs.oracle.com/developers/automated-generation-for-oci-iam-policies
@CRuepprich ruepprich.com
Policies
Allow group A-Admins to manage instance-family in compartment Project-A
Allow group A-Admins to manage volume-family in compartment Project-A
Allow group A-Admins to use virtual-network-family in compartment Networks
Manage compute instances and block storage in compartment Project-A, and use network in compartment
Network.
Networking
Instance
VCNCIDR Block 10.0.0.0/16
Internet GatewayRoute Table
Security List(Ports)
SubnetCIDR Block 10.0.1.0/24
@CRuepprich ruepprich.com
CIDR BlocksClassless Inter-Domain Rounting
192.168.100.0/24 Leading bits24
Octets: 8 bits each
8 16 24 32
192.168.100.0/24
0 - 255 =256 IP Addresses
11111111 11111111 11111111 11111111
http://cidr.xyz
@CRuepprich ruepprich.com
CIDR BlocksClassles Inter-Domain Rounting
Leading bits
8 16 24 32
192.168.100.0/16
0 - 255
11111111 11111111 11111111 11111111
0 - 255
65,536 IP Addresses
@CRuepprich ruepprich.com
Terminology• Subnet: Partition of VCN within a single Availability Domain. Contiguous
IP range. No overlaps with other subnets in the same VCN
• Route Table: Route traffic from subnet to destinations outside VCN
• Security List: Virtual firewall controlling ports and protocols
• Internet Gateway: Router connecting the edge of the cloud to the internet
• Local & Remote Peering Gateways: Virtual router allows to peer VCNs in the same region (local) or another region (remote).
@CRuepprich ruepprich.com
Security ListVirtual Firewall
Oracle Linux 7 and Windows instances also have firewall rules! On Linux, use firewalld to manage access.
Note:
@CRuepprich ruepprich.com
Create Subnet
Instances are connected to Subnets!Note:
@CRuepprich ruepprich.com
Shapes and Images
• Shape: Physical aspects of VM: Nbr. CPUs, Memory, IOPS
• Image: Operating system
@CRuepprich ruepprich.com
Shapes
VM.Standard1.2 => 2 OCPUs, 14GB RAM VM.Standard1.4 => 4 OCPUs, 28GB RAM VM.Standard1.8 => 8 OCPUs, 56GB RAM VM.Standard1.16 => 16 OCPUs, 112GB RAM VM.DenseIO1.4 => 4 OCPUs, 60GB RAM VM.DenseIO1.8 => 8 OCPUs, 120GB RAM VM.DenseIO1.16 => 16 OCPUs, 240GB RAM
@CRuepprich ruepprich.com
Firewall
•Check if ports are open# iptables-save | grep 443
•Add port# firewall-cmd --permanent --zone=public --add-service=https
•Reload firewall# systemctl stop firewalld; systemctl start firewalld
• Check port:# iptables-save | grep 443 -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
@CRuepprich ruepprich.com
OS Users
• Compute instance default user: opc
• Has sudo privileges
ProvisioningAvailability Domain 1
Network, Sec List, Routes
Web Server
Database
Database As A ServiceDBaaS
Provision Database
Terminology
Shape: Resources allocated to a system CPUs, Memory, Storage
Shapes
https://docs.cloud.oracle.com/iaas/Content/Database/References/launchoptions.htm
OCI - Provision DB
OCI - Provision DB
Database versions 11 - 18Note:
Install Apex
• Connect to DBaaS instance as opc user
• Download APEX from OTNbit.ly/cmr-wget
• Install APEX as per documentation
• Make note of DBaaS private IP address for later ORDS configuration
Security
• Iptables already allow 1521
• Make sure security allows 1521
Check Service Name
$ lsnrctl services…Service "pdb1.jcatpublic.jcatvcn.oraclevcn.com" has 1 instance(s). Instance "jcat", status READY, has 2 handler(s) for this service... Handler(s): "DEDICATED" established:46 refused:0 state:ready LOCAL SERVER "DEDICATED" established:37 refused:0 state:ready LOCAL SERVER
jdbc connection
sqlcl usr/pwd@<pup/pvt ip>:1521/pdb1.jcatpublic.jcatvcn.oraclevcn.com
Database On IaaS
@CRuepprich ruepprich.com
Database on IaaS
• Provision Compute
• Install & Configure Oracle
• Bring Your Own License
• Manage Oracle Yourself
OCI - Compute
Configuration Steps - Web Server• Provision Resources
• Install ORDS
• Install Tomcat
• Install Apache
• Configure SSL
• Proxy to Tomcat
• Open Firewall Ports
Provision Compute
OS Images
Provision Compute
Provision Compute
Firewall
•Check if ports are open# iptables-save | grep 443
•Add port# firewall-cmd --permanent --zone=public --add-service=https
•Reload firewall# systemctl restart firewalld
• Check port:# iptables-save | grep 443 -A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
OS Users
• Compute instance default user: opc
• Has sudo privileges
DeploymentThe process of installing & configuring software
Apache
Apache• Install Apache
• Install mod_ssl
• Configure ssl certificates (self signed for demo)
• Configure ssl virtual host for https access
• Configure proxy to Tomcat
• Configure APEX images directory
Overview
ApacheOverview
ajpHttpsTomcat
ORDS
Apache
• As root• # yum update
• # yum install httpd
• # yum install mod_ssl
• # yum install java-1.8.0-openjdk
SSL Certificate (self-signed)• As root
• Generate key:# openssl genrsa -des3 -out server.key 1024
• Generate Certificate Signing Request:# openssl req -new -key server.key -out server.csr
• Remove passphrase:# cp server.key server.key.org # openssl rsa -in server.key.org -out server.key
• Generate certificate# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
• Copy certificate and key to Apache directory# cp server.crt /etc/httpd/ssl/ # cp server.key /etc/httpd/ssl/
Apache SSL
• ssl.conf
Listen 443<VirtualHost _default_:443> DocumentRoot /var/www/html ServerName cmr-apache SSLEngine on SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.key
ProxyRequests Off ProxyPreserveHost On
<Proxy *> Order deny,allow Allow from all </Proxy>
ProxyPass /ords ajp://localhost:8009/ords ProxyPassReverse /ords ajp://localhost:8009/ords
Alias "/i" "/var/www/apex/images"</VirtualHost>
Apache SSL
<VirtualHost *:80> RewriteEngine On RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]</VirtualHost>
Redirect HTTP (80) traffic to HTTPS (443)apex.conf
Apache - SSL
• Edit httpd.conf # Load config files in the "/etc/httpd/conf.d" IncludeOptional conf.d/*.conf
Apache
• Control Apache # apachectl stop | start | status | restart
Tomcat
Install Tomcat
• $ wget http://mirror.reverse.net/pub/apache/tomcat/tomcat-8/v8.5.31/bin/apache-tomcat-8.5.31.tar.gz
Add to .bash_profile:export CATALINA_BASE=$HOME/apache-tomcat-8.5.31export CATALINA_HOME=$CATALINA_BASEexport WEBAPPS=$CATALINA_HOME/webapps
Manual Installation
Configure Tomcat
• Runs on port 8080 by default
• ajp on port 8009 by default
• Copy apex images to webapps
# cp -R /u01/dl/apex/images /usr/share/tomcat/webapps/i
Control Tomcat
# bash $CATALINA_HOME/bin/catalina.sh start | stop
ORDS
Download ORDS
• http://www.oracle.com/technetwork/developer-tools/rest-data-services/downloads/index.html
• bit.ly/cmr-wget
Configure ORDS
$ cd /u01/ords$ java -jar ords.war Follow command prompts to configure ORDS For database IP address refer to DBAAS instance.
Accessing APEX
https://<compute_pubilic_ip_address>/ords
Summary
• Created DBaaS Oracle Database & Installed APEX
• Created compute instance & installed Apache, Tomcat, ORDS
• Configured Apache with SSL & ajp proxy to Tomcat
• Configured ORDS to access DBaaS database