IBM Security Verify

I wanted to tip my hat to the folks at IBM for these lightweight containers.  As we prepare to upgrade to OCP v4, I have been testing the lightweight containers.  The startup times, when adding the startup probes, is very impressive.  So far I have roughly timed them as follows:

• Config container = 62 seconds
• Runtime = 32 seconds
• DSC = 12 seconds
• WRP = 11 seconds

This is incredible considering it can take upwards of 2 minutes to start a WRP using the full verify-access image on some of our environments.  Now, granted, currently on some of those envs, the snapshot is being pulled through the network from another OpenShift cluster and not locally from the cluster the WRP runs in.  I hope to address that once we get to lightweight containers and on OCPv4 by introducing a snapshot manager into each individual cluster, and then pointing the containers in each cluster to the local snapshot manager to keep this traffic inside the OpenShift cluster, which should bring out startup times down to what I am seeing in my lab above.

I'm trying to reduce dependencies as much as possible to improve startup times and improve resiliency of the proxies.  I stopped using the PVCs for the containers other than the config after conversations with Scott on this forum.  Basically trimming down fat so there is less to go wrong.

Many thanks for this flexibility in the lightweight containers and the ability now to push to multiple snapshot managers.

------------------------------
Matt Jenkins
------------------------------

Thanks Matt :)

I'm sure @Scott Exton will be very pleased to read this too.

Jon.​​

------------------------------
Jon Harry
Senior Technical Sales Enablement Specialist
Identity and Access Management
IBM Technology, Worldwide
------------------------------

Original Message:
Sent: Thu May 05, 2022 10:16 AM
From: Matt Jenkins
Subject: ISVA v10.0.3.1 on OpenShift v4 with lightweight containers - my experience so far

I wanted to tip my hat to the folks at IBM for these lightweight containers.  As we prepare to upgrade to OCP v4, I have been testing the lightweight containers.  The startup times, when adding the startup probes, is very impressive.  So far I have roughly timed them as follows:

• Config container = 62 seconds
• Runtime = 32 seconds
• DSC = 12 seconds
• WRP = 11 seconds

This is incredible considering it can take upwards of 2 minutes to start a WRP using the full verify-access image on some of our environments.  Now, granted, currently on some of those envs, the snapshot is being pulled through the network from another OpenShift cluster and not locally from the cluster the WRP runs in.  I hope to address that once we get to lightweight containers and on OCPv4 by introducing a snapshot manager into each individual cluster, and then pointing the containers in each cluster to the local snapshot manager to keep this traffic inside the OpenShift cluster, which should bring out startup times down to what I am seeing in my lab above.

I'm trying to reduce dependencies as much as possible to improve startup times and improve resiliency of the proxies.  I stopped using the PVCs for the containers other than the config after conversations with Scott on this forum.  Basically trimming down fat so there is less to go wrong.

Many thanks for this flexibility in the lightweight containers and the ability now to push to multiple snapshot managers.

------------------------------
Matt Jenkins
------------------------------