WebSphere Application Server & Liberty

 View Only

Liberty InstantOn in serverless applications on Red Hat OpenShift Container Platform

By Tam Dinh posted Thu September 26, 2024 05:44 PM

  

Serverless is a cloud-native deployment model which helps manage servers based on demand.   When running a serverless application, the app pod is automatically scaled up when app is in use or scaled down to zero (no running server) when the application is idle.  The rapid server startup time with Liberty InstantOn is essential in serverless applications when scaling up pods.  In my previous blog, I have created a Liberty InstantOn application container image using guide-security-intro  sample application, now I will deploy it to Red Hat OpenShift Container Platform (OCP) with OpenShift Serverless.

Prerequisites:

    • An OCP cluster 4.14 or later
    • The sample InstantOn application container image (see my previous blog)
    • oc - OpenShift Command Line Interface (CLI)

Steps

Install Red Hat OpenShift Serverless operator and create Knative Serving instance in OCP

1. Install Red Hat OpenShift Serverless operator using OCP console.  Navigate to Operators > OperatorHub and search for Red Hat OpenShift Serverless and install it with the default values.  The current latest OpenShift serverless version at this time is 1.33.2.

2. Create a Knative Serving instance to control the behavior of serverless workloads on the OCP cluster.   To deploy Liberty InstantOn application, we need to enable kubernetes security context capabilities and kubernetes security context in Knative serving to allow Linux capabilities and security context to be added to the container.  In OCP console, navigate to Operators > Installed Operators >  Red Hat OpenShift Serverless operator > Knative Serving tab.  Click on Create KnativeServing button and paste in the following content, or using "oc apply -f <the-following-kserving>.yaml"

  1. kind: KnativeServing
    apiVersion: operator.knative.dev/v1beta1
    metadata:
      name: knative-serving
      namespace: knative-serving
    spec:
      config:
        features:
          kubernetes.containerspec-addcapabilities: enabled
          kubernetes.podspec-securitycontext: enabled
    

3. Verify that the created KnativeServing is ready to serve

  1. oc get KnativeServing -n knative-serving
    NAME              VERSION   READY   REASON
    knative-serving   1.12      True
    

Deploy the sample InstantOn application container image as a serverless application in OCP with OpenShift serverless

Use Open Liberty Operator (OLO) to deploy application container image to OCP with OpenShift Serverless since it helps manage applications in Kubernetes.  If Open Liberty Operator is not installed on your OCP cluster, you can install OLO using OCP console by navigating to Operators > OperatorHub, search for Open Liberty and install OLO with the default values.  By default, OLO is installed on all namespaces, but it can also be installed in a certain project in OCP.   You also need to create security context constraints (SCCs) and service account to add additional capabilities and permissions to pods for Liberty InstantOn restore process.  I will deploy the application to serverless-sample-security project so all configuration steps below are run inside this project.

1. Create a new project to deploy serverless application

  • oc new-project serverless-sample-security

2. If the InstantOn application container image is in a secured registry, you must create an image pull secret in the same namespace of the application.  The command below is for creating a pull secret when not having a Docker credentials file for the secured registry.

  • oc -n serverless-sample-security create secret docker-registry my-secret --docker-server="my-registry" --docker-username="my-user" --docker-password="my-password" --docker-email="my-email" 

3. Follow steps 4 and 5 in the Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator section in my previous blog to create security context constraints (SCCs) and add to a service account to provide additional capabilities and permissions to pods for Liberty InstantOn restore process.

4. Deploy serverless application with Open Liberty operator using the following yaml file by running command "oc apply -f <the-following-olapp.yaml>.  The  .spec.createKnativeService: true is for deploying app in serverless.spec.pullSecret provides registry credential to pull app image from a secured registry, and the .spec.securityContext grants the container permissions for InstantOn application restore process.

  • kind: OpenLibertyApplication
    apiVersion: apps.openliberty.io/v1
    metadata:
      name: guide-security-kn
     namespace: serverless-sample-security   labels: app: guide-security-kn spec: applicationImage: 'my-registry/instanton/guide-security-inston' expose: true replicas: 1 serviceAccount: mountToken: true createKnativeService: true pullSecret: my-secret
     pullPolicy: Always statefulSet: {} service: type: ClusterIP port: 9080 route: termination: passthrough env: - name: WLP_LOGGING_CONSOLE_FORMAT value: simple serviceAccountName: liberty-instanton-scc securityContext: allowPrivilegeEscalation: true privileged: false runAsNonRoot: true capabilities: add: - CHECKPOINT_RESTORE - SETPCAP drop: - ALL

5. View knative service to see its status and application URL

  • oc get kservice      
    NAME                URL                                                                                    LATESTCREATED             LATESTREADY               READY   REASON
    guide-security-kn   https://guide-security-kn-serverless-sample-security.apps.tam-ocpx86.cp.fyre.ibm.com   guide-security-kn-00001   guide-security-kn-00001   True    
    

6. Once the serverless application is deployed, you can monitor the app pod status and see the app pod scaling down when it is not being used.  The following shows that app pod is terminating (scaling down) when the application is not used.  

  • oc get pods -w
    NAME                                                  READY   STATUS              RESTARTS   AGE
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   0/2     ContainerCreating   0          3s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   1/2     Running             0          7s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   2/2     Running             0          7s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   2/2     Terminating         0          67s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   1/2     Terminating         0          91s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   0/2     Terminating         0          99s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   0/2     Terminating         0          99s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   0/2     Terminating         0          99s
    guide-security-kn-00001-deployment-6b4b4fb88d-2hxx7   0/2     Terminating         0          99s
    

7. Run the application with the knative service URL and monitor the pod status to see that pod is scaling up

  • oc get pods -w
    NAME                                                  READY   STATUS    RESTARTS   AGE
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   0/2     Pending   0          0s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   0/2     Pending   0          0s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   0/2     Pending   0          0s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   0/2     ContainerCreating   0          0s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   0/2     ContainerCreating   0          0s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   1/2     Running             0          2s
    guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl   2/2     Running             0          3s
    

8. View pod logs.  In this case, the server was started in 0.268 seconds

  • % oc logs guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl
    Defaulted container "user-container" out of: user-container, queue-proxy
    
    [9/20/24, 22:01:51:836 UTC] 00000037 com.ibm.ws.kernel.launch.internal.FrameworkManager           A Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
    [9/20/24, 22:01:51:854 UTC] 00000037 com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl:9080/
    [9/20/24, 22:01:51:869 UTC] 00000037 io.openliberty.checkpoint.internal.CheckpointImpl            A CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.245 seconds.
    [9/20/24, 22:01:51:871 UTC] 00000037 com.ibm.ws.app.manager.AppMessageHelper                      A CWWKZ0001I: Application guide-security-intro.war started in 0.247 seconds.
    [9/20/24, 22:01:51:891 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager            A CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
    [9/20/24, 22:01:51:892 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager            A CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.268 seconds.
    

Conclusion

In conclusion, we deployed existing Liberty InstantOn application container image to OCP with Red Hat OpenShift Serverless and see that the rapid server startup time with Liberty InstantOn benefits serverless applications in response to the demand.

0 comments
45 views

Permalink