VMware at IBM Interconnect 2017

IBM’s Interconnect conference is March 19-23 this year. There’s quite a few interesting sessions currently lined up related to VMware and IBM Cloud:

Monday at 2pm, Dream Payments deploys international payment networks with IBM Cloud for VMware Solutions
Tuesday at 11:30am, Achieving and maintaining security and compliance in a hybrid cloud
Tuesday at 2:30pm, Networking Magic: Intercontinental vMotion on IBM Bluemix Infrastructure in minutes
Tuesday at 3:45pm, A deep dive into the cloud transformation journey of a large European bank
Wednesday at 11:15am, Breaking virtualization beyond datacenter boundaries at CIBC
Wednesday at 11:15am, Addressing workload / data geo-fencing challenges in cloud by leveraging NIST Publication IR 7904
Wednesday at 2pm, Next generation digital workplace-as-a-service with Cancom AHP on IBM Bluemix with VMware
Wednesday at 3:15pm, VMware on IBM Cloud: A Clarient case study on the death of traditional CAPEX
Wednesday at 3:15pm, ONTAP Select on IBM Cloud: Deploying a validated software-defined storage solution for hybrid cloud
Wednesday at 4:15pm, Design and deployment of VMware on IBM Cloud: Multiplus case study
Thursday at 8:30am, IBM and VMware: Connecting it all
Thursday at 10:30am, DevOps within the hybrid cloud: Deploying to the VMware platform on the IBM Cloud
Thursday at 10:30am, Puzzled? Learn how IBM solutions complete each other to drive your digital transformation

I hope to see you at Interconnect 2017!

A new home for the IBM Cloud VMware architecture

IBM Cloud for VMware Solutions is a set of offerings that allow you to rapidly deploy VMware environments into the IBM Cloud. Previously I’ve described how these offerings work to deploy your VMware environment. But the IBM Cloud for VMware Solutions is more than just a framework to deploy and manage a VMware cloud. The VMware Cloud Foundation instances that we deploy are installed and configured according to a standard solution architecture that was jointly developed by IBM and VMware.

The documentation for our VMware architecture has moved to a new home on the IBM Bluemix Garage Method’s Architecture Center. This site hosts a number of architectures, now also including our VMware virtualization architecture. You can see that we have already started to expand the architecture by creating add-on architectures for VMware vRealize and for HyTrust CloudControl, DataControl, and BoundaryControl. These new specifications are the first of many add-on components that will prescribe how to add additional virtualization services to your VMware environments.

God rest ye merry

Our family caroled with some friends in downtown Fuquay last night.

Merry Christmas!

Managing SoftLayer VPN subnet access

The IBM SoftLayer VPN only supports connection to 64 of your private subnets. If you have more than 64 private subnets in your SoftLayer account, you need to switch your VPN’s subnet management from Automatic to Manual, and select the specific subnets to which you want to connect.

The process for selecting subnets in the UI is not simple, especially if your account has hundreds of subnets. The subnets are not sorted, the dialog is small, and the pagination is slow.

VPN

However, it is possible to manage your VPN subnets programmatically using the SoftLayer API. I have created a Python script that allows you to manage your SoftLayer VPN subnet access. The script requires your SoftLayer username, API key, and a list of private IP addresses to which you want to connect. The script locates the subnets in your account that match your selected IP addresses, and assigns exactly these subnets to your SoftLayer VPN account.

You should wait a few minutes after running the script for it to take effect.

Travis and Pylint

For awhile my team has had Travis setup to run Pylint (as well as several other lints) against our code base. However, because we didn’t start this practice from the beginning, the number of warnings was a bit daunting. We told ourselves that we would fix this over time, and set our script to always return 0 so that Travis would be happy.

Then I read: Why Pylint is both useful and unusable, and how you can actually use it. I was inspired by this to try my hand at reducing Pylint’s scope. However, I took a different approach. Instead of disabling all checks and enabling them incrementally, I adjusted our script to check only for fatal and error findings in Pylint. Pylint encodes in its exit status what levels of messages were issued.

Here is my approach:

# Fail Travis build if Pylint returns fatal (1) | error (2)
if [ $(($rc & 3)) -ne 0 ]; then
    echo "Pylint failed"
    exit 1
else
    echo "Pylint passed"
    exit 0
fi

The number of errors found by Pylint was much more manageable than the full set of messages it produced. We were able to correct these problems easily, and move to addressing warnings and other messages incrementally over time.

Disaster recovery in the cloud

IBM and Zerto recently announced a partnership to bring Zerto Virtual Replication to IBM Cloud for VMware.

Zerto provides enterprise-class replication of virtual machines between a variety of environments. IBM Cloud provides enterprise-class VMware virtualized environments in the public cloud. Together, this partnership will bring a variety of public-cloud and hybrid-cloud disaster recovery topologies to the IBM Cloud for VMware offering.

I’m excited about the possibilities opened up by this partnership!

VMware in the public cloud

I just published an article on IBM developerWorks that provides an overview of the architecture of IBM Cloud for VMware Solutions.

fig1-welcome

Have a look and see how you can deploy hyperconverged VMware Cloud Foundation virtualization environments to the IBM Cloud infrastructure in hours rather than weeks!

Cookie size in uWSGI

If you’re working to ensure your web application can tolerate more and bigger cookies (see my earlier post on cookie size in Nginx), you have to do it across your entire stack. I forgot to do this previously for my uWSGI application, and so today experienced a 502 Bad Gateway error because the cookies exceeded the default limit of 4kB.

I updated my uwsgi.ini file to add this statement:

buffer-size = 65536

File encryption with public-key cryptography

Public-key cryptography is not suitable for encrypting large files. A naive approach to encrypting a large file will return an error if the file is larger than the RSA key:

[smoonen@smoonen encryption]$ dd if=/dev/zero bs=1024 count=1024 | openssl pkeyutl -encrypt -pubin -inkey pubkey.pem
Public Key operation error
140544802154400:error:0406D06E:rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size:rsa_pk1.c:151:

If you want to accomplish asymmetric encryption of large files, the general approach is to encrypt the file using symmetric cryptography, and encrypt the symmetric key using public-key cryptography. The OpenSSL smime command uses this approach, but it does not support extremely large files.

To support this case, I’ve written some simple file encryption shell scripts which I’ve posted on GitHub. These scripts are as follows:

genkeypair generates a private and public key pair
encrfile encrypts one or more files using AES-256 encryption, encrypts the AES-256 keys using public-key encryption, and saves the encrypted key as part of the encrypted file
decrfile decrypts a single file previously encrypted by encrfile, by extracting the encrypted AES-256 key, decrypting it using public-key encryption, and then decrypting the file itself. The decrypted data is sent to stdout.

IBM APM on PureApplication System

Beginning with PureApplication version 2.2.2.0 released in September 2016, the use of IBM’s Application Performance Management monitoring is entitled for applications deployed on PureApplication System.

However, unlike IBM Tivoli Monitoring (ITM), there is currently no shared service available for automatically deploying APM agents into your PureApplication pattern instances. So you must arrange to install and configure the APM agents yourself.

But now this process is simplified! Several of my PureApplication colleagues have published an article describing how you can use script packages in your pattern to install and configure the APM agents in your pattern instances. You can find their article at IBM developerWorks.

full◦valence

connect◦the◦dots