Friday 12 July 2024

Introduction to Containers

 


Hardware Virtualization


Let's review the layers of service abstractions:


source: The New Era of Cloud Computing: SaaS, IaaS and PaaS | LinkedIn


Infrastructure as a service (IaaS):

  • uses Virtual Machines to virtualize the hardware
  • allows us to share compute resources with other developers
  • each developer can:
    • deploy their own operating system (OS)
    • configure the underlying system resources such as disc space, disk I/O, or networking
    • install their favorite run time, web server, database or middleware
    • build their applications in a self contained environment with access to underlying hardware (RAM, file systems, networking interfaces, etc.)
    • The smallest unit of compute is an app with its VM
      • If we want to scale it the app, we'll also scale VM which is resource and time consuming

Shortcomings of (using only) hardware virtualization


Flexibility listed above comes with a cost:
  • Guest OS might be large (several gigabytes) and take long time to boot
  • As demand for our application increases, we have to copy an entire VM and boot the guest OS for each instance of our app, which can be slow and costly

OS virtualization

  • PaaS: abstraction of the OS
  • IaaS: abstraction of hardware


Container:

  • gives the independent scalability of workloads in PaaS and an abstraction layer of the OS and hardware in IaaS. 
  • an invisible box around our code and its dependencies with limited access to its own partition of the file system and hardware
  • only requires a few system calls to create 
  • starts as quickly as a process
  • All that's needed on each host is:
    • OS kernel that supports containers
    • container runtime
In essence, the OS is being virtualized. It scales like PaaS, but gives us nearly the same flexibility as IaaS. This makes code ultra portable, and the OS and hardware can be treated as a black box. 

We can go from development to staging, to production, or from our laptop to the Cloud without changing or rebuilding anything. As an example, let's say we want to scale a web server. With a container we can do this in seconds and deploy dozens or hundreds of them depending on the size of our workload on a single host. That's just a simple example of scaling one container, running the whole application on a single host. 

However, we'll probably want to build our applications using lots of containers, each performing their own function like microservices. If we build them this way and connect them with network connections, we can make them modular, deploy easily and scale independently across a group of hosts. The hosts can scale up and down and start and stop containers as demand for our app changes or as hosts fail.


Containers: Docker overview


Let's say we need to deploy a stack of various technologies: 
  • Web server Node.js Express
  • MongoDB
  • Redis messaging system
  • Ansible as orchestration tool
If we would go about deploying them on the bare metal host or VM, each of these components needs to be compatible with running host's hardware, OS and installed dependencies and libraries. But this is usually not the case. This is therefore named Matrix from hell.

Docker helps preventing these dependency issues. E.g. we can run each of these components in its own container, which contains libraries and dependencies that the component is compatible with. 

Docker runs on top of the OS (Win, Mac, Linux etc).

Containers are completely isolated environments. They have their own processes, network interfaces, mounts...just like virtual machines except they all share the same OS kernel (which is interfacing the hardware).

Docker adds an abstraction layer over LXC (LinuX Containers). Docker is like an extension of LXC. [LXC vs Docker: Why Docker is Better | UpGuard]

Ubuntu, Fedora, SUSE and CentOS share the same OS kernel (Linux) but have different software (GUI, drivers, compilers, file systems, ...) above it. This custom software differentiates OSes between each other.

Docker containers share the underlying OS kernel. For example, Docker on Ubuntu can run any flavour of Linux which runs on the same Linux kernel as Ubuntu. This is why we can't run Windows-based container on Docker running on Linux OS - they don't share the same kernel.
Hypervisor:
  • Abstracts away hardware for the virtual machines so they can run an operating system
  • Coordinates between the machine's physical hardware and virtual machines.
container engine (e.g. Docker Engine):
  • Abstracts away an operating system so containers can run applications
  • Coordinates between the operating system and (Docker) containers
  • Docker containers are process-isolated and don't require a hardware hypervisor. This means Docker containers are much smaller and require far fewer resources than a VM.

Unlike hypervisors, Docker is not meant to virtualize and run different operating systems and kernels on the same hardware.

The main purpose of Docker is to containerise applications, ship them and run them.

In case of Docker we have: 
  • Containers (one or more) containing:
    • Application
    • Libraries & Dependencies 
  • Docker
  • OS
  • Hardware
In case of virtual machine we have:
  • Virtual Machines (one or more) containing:
    • Application
    • Libraries & Dependencies
    • OS
  • Hypervisor
  • OS
  • Hardware
Docker uses less processing powerless disk space and has faster boot up time than VMs.

Docker containers share the same kernel while different VMs are completely isolated. We can run VM with Linux on the host with Windows.

Many companies release and ship their software products as Docker images, published on Docker Hub, public Docker registry.

We can run each application from the example above in its own container:

$ docker run nodejs 
docker run mongodb
docker run redis
docker run ansible

Docker image is a template, used to create one or more containers.

Containers are running instances of images that are isolated and have their own environments and set of processes.

Dockerfile describes the image.


References: 

Google Cloud Fundamentals: Core Infrastructure | Coursera

Tuesday 9 July 2024

Google Cloud storage options

 


Most applications need to store data e.g. media to be streamed, sensor data from devices.
Different applications and workloads require different storage database solutions.

Google Cloud has storage options for different data types:
  • structured
  • unstructured
  • transactional
  • relational

Google Cloud has five core storage products:
  • Cloud Storage (like AWS S3)
  • Cloud SQL
  • Spanner
  • Firestore
  • Bigtable



(1) Cloud Storage


Object Storage


Let's first define Object Storage.

Object storage is a computer data storage architecture that manages data as “objects” and not as:
  • a file and folder hierarchy (file storage) or 
  • as chunks of a disk (block storage)


These objects are stored in a packaged format which contains:
  • binary form of the actual data itself
  • relevant associated meta-data (such as date created, author, resource type, and permissions)
  • globally unique identifier. These unique keys are in the form of URLs, which means object storage interacts well with web technologies. 

Data commonly stored as objects include:
  • video
  • pictures
  • audio recordings


Cloud Storage:

  • Service that offers developers and IT organizations durable and highly available object storage
  • Google’s object storage product
  • Allows customers to store any amount of data, and to retrieve it as often as needed
  • Fully managed scalable service

Cloud Storage Uses


Cloud Storage has a wide variety of uses. A few examples include:
  • serving website content
  • storing data for archival and disaster recovery
  • distributing large data objects to end users via Direct Download
Its primary use is whenever binary large-object storage (also known as a “BLOB”) is needed for:
  • online content such as videos and photos
  • backup and archived data
  • storage of intermediate results in processing workflows

Buckets


Cloud Storage files are organized into buckets

A bucket needs:
  • globally unique name
  • specific geographic location for where it should be stored
    • An ideal location for a bucket is where latency is minimized. For example, if most of our users are in Europe, we probably want to pick a European location, so either a specific Google Cloud region in Europe, or else the EU multi-region
The storage objects offered by Cloud Storage are immutable, which means that we do not edit them, but instead a new version is created with every change made. Administrators have the option to either allow each new version to completely overwrite the older one, or to keep track of each change made to a particular object by enabling “versioning” within a bucket. 
  • With object versioning:
    • Cloud Storage will keep a detailed history of modifications (overwrites or deletes) of all objects contained in that bucket
    • We can list the archived versions of an object, restore an object to an older state, or permanently delete a version of an object, as needed
  • Without object versioning:
    •  by default new versions will always overwrite older versions

Access Control


In many cases, personally identifiable information may be contained in data objects, so controlling access to stored data is essential to ensuring security and privacy are maintained. Using IAM roles and, where needed, access control lists (ACLs), organizations can conform to security best practices, which require each user to have access and permissions to only the resources they need to do their jobs, and no more than that. 

There are a couple of options to control user access to objects and buckets:
  • For most purposes, IAM is sufficient. Roles are inherited from project to bucket to object.
  • If we need finer control, we can create access control lists. Each access control list consists of two pieces of information:
    • scope, which defines who can access and perform an action. This can be a specific user or group of users
    • permission, which defines what actions can be performed, like read or write
Because storing and retrieving large amounts of object data can quickly become expensive, Cloud Storage also offers lifecycle management policies
  • For example, we could tell Cloud Storage to delete objects older than 365 days; or to delete objects created before January 1, 2013; or to keep only the 3 most recent versions of each object in a bucket that has versioning enabled 
  • Having this control ensures that we’re not paying for more than we actually need

Storage classes and data transfer


There are four primary storage classes in Cloud storage:
  • Standard storage
    • considered best for frequently accessed or hot data
    • great for data that's stored for only brief periods of time
  • Nearline storage
    • Best for storing infrequently accessed data, like reading or modifying data on average once a month or less 
    • Examples may include data backups, long term multimedia content, or data archiving. 
  • Coldline storage
    • A low cost option for storing infrequently accessed data. 
    • However, as compared to near line storage, coldline storage is meant for reading or modifying data at most, once every 90 days. 
  • Archive storage
    • The lowest cost option used ideally for data archiving, online backup and disaster recovery
    • It's the best choice for data that we plan to access less than once a year because it has higher costs for data access and operations in a 365 day minimum storage duration

Characteristics that apply across all of these storage classes:
  • unlimited storage
  • no minimum object size requirement
  • worldwide accessibility and locations
  • low latency and high durability
  • a uniform experience which extends to security tools and API's
  • geo-redundancy if data is stored in a multi-region or dual region. This means placing physical servers in geographically diverse data centers to protect against catastrophic events and natural disasters, and low balancing traffic for optimal performance. 

Auto-class


Cloud storage also provides a feature called auto-class, which automatically transitions objects to appropriate storage classes based on each object's access pattern. The feature:
  • moves data that is not accessed to colder storage classes to reduce storage costs
  • moves data that is accessed to standard storage to optimize future accesses
Auto-class simplifies and automates cost saving for our cloud storage data. 

Cloud storage has no minimum fee because we pay only for what we use. Prior provisioning of capacity isn't necessary.

Data Encryption


Cloud storage always encrypts data on the server side before it's written to disc at no additional charge. Data traveling between a customer's device and Google is encrypted by default using HTTPS/TLS, which is transport layer security. 


Data Transfer into Google Cloud Storage


Regardless of which storage class we choose, there are several ways to bring data into Cloud storage:

  • Online Transfer
    • by using Cloud storage, which is the Cloud storage command from the Cloud SDK
    • by using a Dragon Drop option in the Cloud console if accessed through the Google Chrome web browser
  • Storage transfer service
    • enables us to import large amounts of online data into Cloud storage quickly and cost effectively 
    •  if we have to upload terabytes or even petabytes of data 
    • Lets us schedule and manage batch transfers to cloud storage from:
      • another Cloud provider
      • a different cloud storage region
      • an HTTPS endpoint
  • Transfer Appliance
    • A rackable, high capacity storage server that we lease from Google Cloud
    • We connect it to our network, load it with data, and then ship it to an upload facility where the data is uploaded to cloud storage
    • We can transfer up to a petabyte of data on a single appliance
  • Moving data in internally, from Google Cloud services as Cloud storage is tightly integrated with other Google Cloud products and services. For example, we can:
    • import and export tables to and from both BigQuery and Cloud SQL
    • store app engine logs, files for backups, and objects used by app engine applications like images
    • store instance start up scripts, compute engine images, and objects used by compute engine applications
We should consider using Cloud Storage if we need to store immutable blobs larger than 10 megabytes, such as large images or movies. This storage service provides petabytes of capacity with a maximum unit size of 5 terabytes per object. 


Provisioning Cloud Storage Bucket


We can use e.g. Google Cloud console >> Activate Cloud Shell:









Then execute the following commands in it.

Create an env variables containing the location and bucket name:

$ export LOCATION=EU
$ export BUCKET_NAME=my-unique-bucket-name

or we can use the project ID as it is globally unique:

$ export BUCKET_NAME=$DEVSHELL_PROJECT_ID

To create a bucket with CLI:

$ gcloud storage buckets create -l $LOCATION gs://$BUCKET_NAME

We might be prompted to authorize execution of this command:


To download an item from a bucket to the local host:

$ gcloud storage cp gs://cloud-training/gcpfci/my-excellent-blog.png my-excellent-blog.png

To upload a file from a local host to the bucket:

$ gcloud storage cp my-excellent-blog.png gs://$BUCKET_NAME/my-excellent-blog.png

To modify the Access Control List of the object we just created so that it's readable by everyone:

$ gsutil acl ch -u allUsers:R gs://$BUCKET_NAME/my-excellent-blog.png



We can check in Google Console that bucket and the image in it:






(2) Cloud SQL


It offers fully managed relational databases as a service, including:
  • MySQL
  • PostgreSQL
  • SQL Server 

It’s designed to hand off mundane, but necessary and often time-consuming, tasks to Google, like 
  • applying patches and updates
  • managing backups
  • configuring replications

Cloud SQL:
  • Doesn't require any software installation or maintenance
  • Can scale up to 128 processor cores, 864 GB of RAM, and 64 TB of storage. 
  • Supports automatic replication scenarios, such as from:
    • Cloud SQL primary instance
    • External primary instance
    • External MySQL instances
  • Supports managed backups, so backed-up data is securely stored and accessible if a restore is required. The cost of an instance covers seven backups
  • Encrypts customer data when on Google’s internal networks and when stored in database tables, temporary files, and backups
  • Includes a network firewall, which controls network access to each database instance

Cloud SQL instances are accessible by other Google Cloud services, and even external services. 
  • Cloud SQL can be used with App Engine using standard drivers like Connector/J for Java or MySQLdb for Python. 
  • Compute Engine instances can be authorized to access Cloud SQL instances and configure the Cloud SQL instance to be in the same zone as our virtual machine
  • Cloud SQL also supports other applications and tools, like:
    • SQL Workbench
    • Toad
    • other external applications using standard MySQL drivers

Provisioning Cloud SQL Instance





SQL >> Create Instance:



...and then choose values for following properties:
  • Database engine:
    • MySQL
    • PostgreSQL
    • SQL Server
  • Instance ID - arbitrary string e.g. blog-db
  • Root user password: arbitrary string (There's no need to obscure the password because we use mechanisms to connect that aren't open access to everyone)
  • Choose a Cloud SQL edition:
    • Edition type:
      • Enterprise
      • Enterprise Plus
    • Choose edition preset:
      • Sandbox
      • Development
      • Production
  • Choose region - This should be the same region and zone into which we launched the Cloud Compute VM instance. The best performance is achieved by placing the client and the database close to each other.
  • Choose zonal availability
    • Single zone - In case of outage, no failover. Not recommended for production.
    • Multiple zones (Highly available) - Automatic failover to another zone within your selected region. Recommended for production instances. Increases cost.
  • Select Primary zone

click on image to zoom


During DB creation:

click on image to zoom


Once DB instance is created:



DB has root user created:


Default networking:





 Now we can:
  • see its Public IP address (e.g. 35.204.71.237)
  • Add User Account
    • username
    • password
  • set Connections
    • Networking >> Add a Network
      • Choose between Private IP connection and a Public IP connection
      • set Name
      • Network: <external_IP_of_VM_Instance>/32 (If chosen Public IP connection then use instance's external IP address)

Adding a user:


After user is added:



Adding a new network:


After new network is added:





(3) Spanner


Spanner:
  • Fully managed relational database service that scales horizontally, is strongly consistent, and speaks SQL
  • Service that powers Google’s $80 billion business (Google’s own mission-critical applications and services)
  • Especially suited for applications that require:
    • SQL relational database management system with joins and secondary indexes
    • built-in high availability
    • strong global consistency
    • high numbers of input and output operations per second (tens of thousands of reads and writes per second or more)

The horizontal scaling approach, sometimes referred to as "scaling out," entails adding more machines to further distribute the load of the database and increase overall storage and/or processing power. [A Guide To Horizontal Vs Vertical Scaling | MongoDB]

We should consider using Cloud SQL or Spanner if we need full SQL support for an online transaction processing system. 

Cloud SQL provides up to 64 terabytes, depending on machine type, and Spanner provides petabytes. 

Cloud SQL is best for web frameworks and existing applications, like storing user credentials and customer orders. If Cloud SQL doesn’t fit our requirements because we need horizontal scalability, not just through read replicas, we should consider using Spanner. 

(4) Firestore


Firestore is a flexible, horizontally scalable, NoSQL cloud database for mobile, web, and server development. 

With Firestore, data is stored in documents and then organized into collections. Documents can contain complex nested objects in addition to subcollections. Each document contains a set of key-value pairs. For example, a document to represent a user has the keys for the firstname and lastname with the associated values. 

Firestore’s NoSQL queries can then be used to retrieve:
  • individual, specific documents or 
  • all the documents in a collection that match our query parameters
Queries can include multiple, chained filters and combine filtering and sorting options. They're also indexed by default, so query performance is proportional to the size of the result set, not the dataset. 

Firestore uses data synchronization to update data on any connected device. However, it's also designed to make simple, one-time fetch queries efficiently. It caches data that an app is actively using, so the app can write, read, listen to, and query data even if the device is offline. When the device comes back online, Firestore synchronizes any local changes back to Firestore. 

Firestore leverages Google Cloud’s powerful infrastructure: 
  • automatic multi-region data replication
  • strong consistency guarantees
  • atomic batch operations
  • real transaction support
We should consider Firestore if we need massive scaling and predictability together with real time query results and offline query support. This storage service provides terabytes of capacity with a maximum unit size of 1 megabyte per entity. Firestore is best for storing, syncing, and querying data for mobile and web apps. 


(5) Bigtable

Bigtable:
  • Google's NoSQL big data database service
  • The same database that powers many core Google services, including Search, Analytics, Maps, and Gmail
  • Designed to handle massive workloads at consistent low latency and high throughput, so it's a great choice for both operational and analytical applications, including Internet of Things, user analytics, and financial data analysis. 

When deciding which storage option is best, we should choose Bigtable if: 
  • We work with more than 1TB of semi-structured or structured data
  • Data is fast with high throughput, or it’s rapidly changing
  • We work with NoSQL data. This usually means transactions where strong relational semantics are not required
  • Data is a time-series or has natural semantic ordering
  • We work with big data, running asynchronous batch or synchronous real-time processing on the data
  • We are running machine learning algorithms on the data

Bigtable can interact with other Google Cloud services and third-party clients. 

Using APIs, data can be read from and written to Bigtable through a data service layer like:
  • Managed VMs
  • HBase REST Server
  • Java Server using the HBase client
Typically this is used to serve data to applications, dashboards, and data services. 

Data can also be streamed in through a variety of popular stream processing frameworks like:
  • Dataflow Streaming
  • Spark Streaming
  • Storm
And if streaming is not an option, data can also be read from and written to Bigtable through batch processes like:
  • Hadoop MapReduce
  • Dataflow
  • Spark
Often, summarized or newly calculated data is written back to Bigtable or to a downstream database.

We should consider using Bigtable if we need to store a large number of structured objects. Bigtable doesn’t support SQL queries, nor does it support multi-row transactions. This storage service provides petabytes of capacity with a maximum unit size of 10 megabytes per cell and 100 megabytes per row. Bigtable is best for analytical data with heavy read and write events, like AdTech, financial, or IoT data. 


--- 

BigQuery hasn’t been mentioned in this section because it sits on the edge between data storage and data processing. The usual reason to store data in BigQuery is so we can use its big data analysis and interactive querying capabilities, but it’s not purely a data storage product.


Monday 8 July 2024

Google Cloud DNS and Cloud CDN

 


DNS (Domain Name Service) is what translates internet hostnames to addresses.

8.8.8.8 is a free Google public DNS.


Cloud DNS
  • DNS service for internet hostnames and addresses of applications built in Google Cloud
  • managed DNS service (like AWS Route53)
  • runs on the same infrastructure as Google
  • has low latency
  • high availability
  • cost-effective way to make our applications and services available to our users
  • DNS information we publish is served from redundant locations around the world
  • programmable: we can publish and manage millions of DNS zones and records using the Cloud Console, the command-line interface, or the API. 


Edge caching refers to the use of caching servers to store content closer to end users. 


Cloud CDN

  • Google's global system of edge caches (like Amazon CloudFront)
  • Used to accelerate content delivery in our application
    • our customers will experience lower network latency
    • the origins of our content will experience reduced load
  • can be enabled with a single checkbox, after HTTP(S) Load Balancing is set up

Some other CDNs are part of Google Cloud’s CDN Interconnect partner program, and we can continue to use it.

Saturday 6 July 2024

Google Cloud Load Balancing

 


Virtual machines autoscaling solves the issue of availability during the high load period and also cost optimization during the low load by scaling up and down in respond to changing loads. 

Why do we need Load Balancers?


Cloud Load Balancing allows our customers get to our application when it might be provided by four VMs one moment, and by 40 VMs at another. The job of a load balancer is to distribute user traffic across multiple instances of an application. By spreading the load, load balancing reduces the risk that applications experience performance issues

source: Cloud Load Balancing overview  |  Google Cloud


Cloud Load Balancing 


Cloud Load Balancing:
  • Fully distributed
  • Software-defined
  • Managed service for all our traffic
  • Load balancers don’t run in VMs that we have to manage so we don’t have to worry about scaling or managing them. 
  • Can be put it in front of all of our traffic:
    • HTTP or HTTPS
    • TCP 
    • SSL traffic
    • UDP traffic 
  • Provides cross-region load balancing (remember that Google Cloud VPCs are cross-regional), including automatic multi-region failover, which gently moves traffic in fractions if backends become unhealthy
  • Reacts quickly to changes in users, traffic, network, backend health, and other related conditions
  • Doesn't require so-called “pre-warming”
    • If we anticipate a huge spike in demand, for example our online game is already a hit, we don't need to file a support ticket to warn Google of the incoming load. 

Load Balancing Types


Depending on at which OSI level they operate, Cloud Load Balancers can be divided into two types:
  • Application Load Balancers
    • Layer 7 load balancer for our applications with HTTP(S) traffic
  • Network Load Balancers
    • Layer 4 load balancers that can handle TCP, UDP, or other IP protocol traffic

Depending where the traffic is coming from, Load Balancers can be dived into two types:
  • External Load Balancers
    • For traffic coming into the Google network from the Internet
  • Internal Load Balancers
    • Accepts traffic on a Google Cloud internal IP address and load balances it across Compute Engine VMs
    • If we want to load balance traffic inside our project, say, between the presentation layer and the business layer of our application

Application Load Balancers


Layer 7 load balancer for our applications with HTTP(S) traffic.

Depending on whether our application is internet-facing or internal they can be deployed as:
  • External Application Load Balancers - intended for traffic coming into the Google network from the Internet
    • Global HTTP(S) load balancer - if we need cross-regional load balancing for a web application
    • Regional External Application load balancer
  • Internal Application Load Balancers, which can be deployed as:
    • Cross-region Internal Application Load Balancers - support backends in multiple regions and are always globally accessible. Clients from any Google Cloud region can send traffic to the load balancer. Balance traffic to backend services that are globally distributed, including traffic management that ensures traffic is directed to the closest backend.
    • Regional Internal Application Load Balancers - support backends only in a single region
source: Cloud Load Balancing overview  |  Google Cloud


Network Load Balancers


Layer 4 load balancers that can handle TCP, UDP, or other IP protocol traffic. 
Available as:
  • Proxy Network Load Balancers 
  • Passthrough Network Load Balancers

Proxy Network Load Balancers 

  • Support TLS offloading
  • Depending on whether your application is internet-facing or internal, they can be deployed as:
    • External Proxy Network Load Balancers
      • Global External Proxy Network Load Balancers - support backends in multiple regions
        • Global SSL Proxy load balancer - For Secure Sockets Layer traffic that is not HTTP. This proxy service only works for specific port numbers, and only for TCP
        • Global TCP Proxy load balancer - If it’s other TCP traffic that doesn’t use SSL. This proxy service only works for specific port numbers, and only for TCP
      • Regional External Proxy Network Load Balancers - support backends in a single region
      • Classic Proxy Network Load Balancers - global in Premium Tier but can be configured to be effectively regional in Standard Tier
    • Internal Proxy Network Load Balancers 
      • Regional Internal Proxy Network Load Balancers

source: Cloud Load Balancing overview  |  Google Cloud


Passthrough Network Load Balancers

  • support for IP protocols such as UDP, ESP, and ICMP
  • Can be:
    • External Passthrough Network Load Balancers
      • Regional External Passthrough Network load balancer - If we want to load balance UDP traffic, or traffic on any port number, we can use it to load balance across a Google Cloud region
    • Internal Passthrough Network Load Balancers
      • Regional Internal Passthrough Network Load Balancers

source: Cloud Load Balancing overview  |  Google Cloud


How to choose the right Load Balancer?


source: source: Cloud Load Balancing overview  |  Google Cloud

Friday 5 July 2024

How to inspect the content of the Docker image

When building a Docker image it might be a good idea to verify that no sensitive or unnecessary file or folder has leaked into it which might be the case if .dockerignore is not configured properly.




In this article I want to show how to inspect the content of the Docker image (before we create and run a container).

Let's say we have in Dockerfile:


WORKDIR /usr/src/app

COPY ./my-app/ .



We can build image but with output set to be an archive:

$ docker build -t my-app -f ./my-app/Dockerfile . --output type=tar,dest=my-app.tar

We can now extract only the content of usr/src/app directory (note there is no leading / in the path!) from the archive, into the directory named app:

$ mkdir ./app && tar -xvf my-app.tar -C ./app usr/src/app/

We can now inspect and verify the content of the ./app directory.

After inspection is done, we can delete target directory and an archive:

$ rm -rf app && rm python_demo.tar

Thursday 4 July 2024

Google Cloud Compute Engine

Identity and API access This article extends my notes from Coursera course Google Cloud Fundamentals: Core Infrastructure | Coursera






Compute Engine

  • example of IaaS
  • like AWS EC2
  • with it, users can create and run virtual machines on Google infrastructure
  • no upfront investments
  • thousands of virtual CPUs can run on a system that’s designed to be fast and to offer consistent performance


Each virtual machine contains the power and functionality of a full-fledged operating system. This means a virtual machine can be configured much like a physical server, by specifying required:

  • amount of CPU power (virtual CPUs)
  • memory
  • amount and type of storage
  • operating system

We can use machine types which are:
  • predefined
  • custom, created by us
    • We pay for what we need with custom machine types.
    • We can in fact configure very large VMs, which are great for workloads such as in-memory databases and CPU-intensive analytics
    • most Google Cloud customers start off with scaling out (autoscaling - see below), not up
    • The maximum number of CPUs per VM is tied to its machine family and is also constrained by the quota available to the user, which is zone-dependent (see cloud.google.com/compute/docs/machine-types)


A virtual machine instance can be created via:

  • Google Cloud console, which is a web-based tool to manage Google Cloud projects and resources
  • Google Cloud CLI
  • Compute Engine API


The instance can run:

  • Linux and Windows Server images provided by Google or any customized versions of these images
  • images of other operating systems that we build


Cloud Marketplace

  • Offers software packages e.g. Bitnami LAMP stack (Bitnami package for LAMP – Marketplace – Google Cloud console)
  • A quick way to get started with Google Cloud
  • Offers solutions from both Google and third-party vendors
  • With these solutions, there’s no need to manually configure the software, virtual machine instances, storage, or network settings, although many of them can be modified before launch if that’s required
  • Most software packages are available at no additional charge beyond the normal usage fees for Google Cloud resources


Compute Engine’s pricing and billing structure:

  • use of virtual machines is billed by the second with a one-minute minimum
  • sustained-use discounts start to apply automatically to virtual machines the longer they run
    •  for each VM that runs for more than 25% of a month, Compute Engine automatically applies a discount for every additional minute
  • also offers committed-use discounts: for stable and predictable workloads, a specific amount of vCPUs and memory can be purchased with a discount in return for committing to a usage term of one year or three years. 
  • if we have a workload that doesn’t require a human to sit and wait for it to finish–such as a batch job analyzing a large dataset we can save money, in some cases up to 90%, by choosing Preemptible or Spot VMs to run the job. 
    • Preemptible or Spot VM is different from an ordinary Compute Engine VM in only one respect: Compute Engine has permission to terminate a job if its resources are needed elsewhere. Although savings are possible with preemptible or spot VMs, we'll need to ensure that our job can be stopped and restarted. 
    • Spot VMs differ from Preemptible VMs by offering more features
      • preemptible VMs can only run for up to 24 hours at a time
      • Spot VMs do not have a maximum runtime


Storage

  • high throughput between processing and persistent disks is default


Autoscaling

  • Compute Engine feature
  • VMs can be added to or subtracted from an application based on load metrics

Load Balancing

  • balancing the incoming traffic among the VM
  • Google’s Virtual Private Cloud (VPC) supports several different kinds of load balancing



Provisioning 



When we create a new Compute Engine VM Instance we can specify:

  • Name
  • Region
  • Zone
  • Machine type e.g. Series E2, N2 etc...
  • Boot disk image e.g. Debian GNU/Linux 11 (bullseye)
    • boot disk's architecture (x86/64 or ARM) must be compatible with the selected machine type
  • Identity and API access
    • Service Account: e.g. Compute Engine default service account
        • Requires the Service Account User role (roles/iam.serviceAccountUser) to be set for users who want to access VMs with this service account.
      • Applications running on the VM use the service account to call Google Cloud APIs. Use Permissions on the console menu to create a service account or use the default service account if available.
    • Access scopes: Select the type and level of API access to grant the VM. Default: read-only access to Storage and Service Management, write access to Stackdriver Logging and Monitoring, read/write access to Service Control.
      • Default access
      • Full access to Google APIs
      • Set access for each API
  • Firewall. By default all incoming traffic from outside a network is blocked. Select the type of network traffic you want to allow.  Add tags and firewall rules to allow specific network traffic from the Internet
    • Allow HTTP traffic
    • Allow HTTPS traffic
    • Allow Load Balancer Health Checks
  • Advanced options
    • Networking - Hostname and network interfaces
    • Disks - Additional disks
    • Security - Shielded VM and SSH keys
    • Management - Description, deletion protection, reservations, and automation
      • Automation  >> Startup script - You can choose to specify a startup script that will run when your instance boots up or restarts. Startup scripts can be used to install software and updates, and to ensure that services are running within the virtual machine.
Startup script can be e.g. for setting LAMP stack:

apt-get update
apt-get install apache2 php php-mysql -y
service apache2 restart

click to see the original image



Once instance is running we're able to see internal (e.g. 10.164.0.2) and external IP (e.g. 34.90.152.162) addresses assigned to it:




SSH-ing to VM:







References:


Google Cloud Fundamentals: Core Infrastructure | Coursera.


Disclaimer: The course content rights belong to course creators (Google Cloud Training).