Security – Spirited Engineering

This tutorial walks you through steps to setup an IBM Cloud Private cluster on your workstation (eg: Your laptop). You can extend the application of this tutorial to a more advanced environment accordingly to your need.
The environment I’m using in the tutorial is Mac OS High Sierra 10.13.4 with VirtualBox 5.2.18 and IBM Cloud Private Community Edition. Data persistent and storage topics are also not discussed in this tutorial, so all data will be ephemerally stored inside the VMs

System requirements

System requirements to install IBM Cloud Private (ICP) varies based on your architecture. ICP supports Linux 64 bit (Red Hat Enterprise Linux and Ubuntu 16.04 LTS) or Linux on IBM Power. In this tutorial, I use Ubuntu 16.04 LTS.

Regarding resources requirement, as a minimum:

Boot node: 4G RAM, 100GB disk
Master node: 4G RAM, 151 GB disk
Proxy node: 4G RAM, 40 GB disk
Worker node: 4G RAM, 100 GB disk

Determine your cluster architecture

First you need to decide the architecture of your cluster. A standard configuration for a multi-node ICP cluster is

A single master
A single proxy node
Three worker nodes

In this tutorial though, we will compact the architecture even more, to make it 3 virtual machines (VMs) only

One VM contains both proxy and master node
Two VMs each hosts a worker node

Here is how it looks:

Setup infrastructure

Configure VirtualBox network

Create internal private network for the nodes

As shown in the cluster architecture, I will create a Host-Only network interface to attach all the nodes in. With Host-Only network adapter, I can access the nodes from my host

$ VBoxManage hostonlyif create

After that command, VBoxManage will present us the network name (eg: vboxnetx). Use it for next command to configure the network IP:

$ VBoxManage hostonlyif ipconfig vboxnet3 --ip 173.0.1.1

Then configure the DHCP server:

$ VBoxManage dhcpserver add --ifname vboxnet3 --ip 173.0.1.1 --netmask 255.255.255.0 --lowerip 173.0.1.100 --upperip 173.0.1.200
$ VBoxManage dhcpserver modify --ifname vboxnet3 --enable

Enable internet access from the VMs

We can either create a NAT network or use the defautl NAT option to allow the VMs to access the internet through my Mac. To make it simple, I will attach the NAT adapter to my VMs. We will do this once we have the VM provisioned

Provision the VMs

We will provision the first VM (boot-master-proxy), setup necessary softwares on it, then clone it to make the other two VMs to minimize the repeated steps.
Download the image from here: http://releases.ubuntu.com/16.04/ubuntu-16.04.5-server-amd64.iso
Depending on how much resource you have in your host, you will provision your VM accordingly. We allocate 8GB RAM, 80GB to the first VM
Assuming we’ve done with provisioning your VM based on the Ubuntu image, now on VirtualBox GUI, go to Settings view of the VM, navigate to Networks and then attach 2 adapters to the VM as following

NAT for internet access from the VM

Host-Only, select the one you created before, to enable access to the VM from host

Attach Host-Only adapter to the VM

Now launch the VM and setup the OS following the instruction. Once you have the OS ready, assign a static IP address to the VM by changing the configuration in /etc/network/interraces

Since the VM is attached to the Host-Only network interface, we can ssh to it from the host and modify the network interfaces configuration:

$ssh <user>@<boot-master-proxy node's ip address>
$sudo vi /etc/network/interfaces

make it something like this:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface (NAT)
auto enp0s3
iface enp0s3 inet dhcp
# The Host-Only network
auto enp0s8
iface enp0s8 inet static
        address 172.0.1.100 # This is the master node's IP address
        netmask 255.255.255.0

Notes: Sometimes the network interface name (eg: enp0sx) does not show up in the /etc/network/interfaces file hence you need to figure out what the name is for each adapter. Use this command inside the VM to determine

dmesg | grep eth

Change the host name of the VM, make it boot-master-proxy

$ sudo vi /etc/hostname # then make it boot-master-proxy

Install necessary softwares on the boot-master-proxy node

Enable root login remotely via ssh to the VM

Set a password for root by SSH to the VM and execute these from inside

$sudo su - # provide your user's password here
$passwd

Enable remote login as root

$ sed -i 's/prohibit-password/yes/' /etc/ssh/sshd_config
$ systemctl restart ssh

Update Net Time Protocol

This is to make sure time stays in sync

$ sudo apt-get install -y ntp
$ sytemctl restart ntp

Configure Virtual Memory setting

$ sudo vi /etc/sysctl.conf

Add this line in then reboot the VM

# Increase memory map areas to 262144
sysctl -w vm.max_map_count=262144

then reboot

$ sudo reboot now

Install Docker and tools

$ sudo apt-get update && sudo apt-get install -y linux-image-extra-$(uname -r) linux-image-extra-virtual
$ sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common
$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
$ sudo apt-key fingerprint 0EBFCD88
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb\_release -cs) stable"
$ sudo apt-get update
$ sudo apt-get install -y docker-ce
$ sudo apt-get install -y python-setuptools && sudo easy_install pip

Create the worker nodes by cloning the first VM

At this point, we’ve had the foundation for installing IBM Cloud Private. Lets shutdown the VM (`shutdown -h now`) and clone it to make the 2 worker nodes

From host machine, do these commands:

$ vboxmanage clonevm boot-master-proxy --name worker1
$ vboxmanage registervm ~/VirtualBox\ VMs/worker1/worker1.vbox
$ vboxmanage clonevm boot-master-proxy --name worker2
$ vboxmanage registervm ~/VirtualBox\ VMs/worker2/worker2.vbox

Update network configuration on each worker node

Now we can start all VMs using VirtualBox GUI or command line (better user GUI). VirtualBox will give us a command line interface for interacting with the VMs. Provide credentials to login to the VM and do further configuration. For example, with worker1

Change the host name of the VM to worker1

$ sudo vi /etc/hostname # change it to worker1

Change /etc/hostsconfiguration, to add these lines in

$ sudo vi /etc/hosts
# Add these lines in:
172.0.1.100 boot-master-proxy
172.0.1.101 worker1
172.0.1.102 worker2

Assign a static IP address to the VM by changing the configuration in /etc/network/interfaces to make it look like this

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface (NAT)
auto enp0s3
iface enp0s3 inet dhcp
# The Host-Only network
auto enp0s8
iface enp0s8 inet static
        address 172.0.1.101 # This is worker1's IP address
        netmask 255.255.255.0

then reboot the VM $ sudo reboot now

Repeat those configuration steps for worker2 VM with worker2 as hostname, 172.0.1.102 as the VM’s static IP address

Install IBM Cloud Private CE

Now we’re ready to install ICP CE onto your VMs. First make sure you have all of 3 VMs started. Login to the boot-master-proxy VM through ssh from host machine

$ ssh <user>@172.0.1.100
$ sudo su - # provide credentials here

If you have SE-Linux, turn it off

$ setenforce 0

Configure passwordless ssh tunnels from boot-master-proxy to worker nodes

Now configure to enable passwordless SSH from boot-master-proxy node to the 2 worker nodes. First, generate SSH key

$ ssh-keygen -t rsa -P '' # Accept default values by hitting enter

Now copy the resulting key (id_rsa) to all nodes in the cluster

$ ssh-copy-id -i .ssh/id_rsa root@boot-master-proxy
$ ssh-copy-id -i .ssh/id_rsa root@worker1
$ ssh-copy-id -i .ssh/id_rsa root@worker2

Now we can ssh from boot-master-proxy node to the worker nodes without having to provide password. For example, to access worker1 from boot-master-proxy:

$ ssh root@worker1

Install IBM Cloud Private CE from boot-master-proxy node

Create installation directory and launch a docker container to pull the installation materials

$ mkdir -p /opt/icp
$ cd /opt/icp
$ docker pull ibmcom/icp-inception:2.1.0.3
$ docker run -e LICENSE=accept --rm -v /opt/icp:/data ibmcom/icp-inception:2.1.0.3 cp -r cluster /data
$ cd cluster

Now copy the ssh key to the installation directory

$ cp ~/.ssh/id_rsa /opt/icp/cluster/ssh_key
$ chmod 400 /opt/icp/cluster/ssh_key

Configure IP addresses of the nodes in /opt/icp/cluster/hosts

$ sudo vi /opt/icp/cluster/hosts

Make it look like this

[master]
172.0.1.100


[worker]
172.0.1.101
172.0.1.102


[proxy]
172.0.1.100

Run the installation

$ docker run --net=host -t -e LICENSE=accept -v "$(pwd)":/installer/cluster ibmcom/icp-inception:2.1.0.3 install

Wait for about 30 minutes or so, until you’re presented a happy message like shown below, then the IBM Cloud Private CE version is successfully deployed on the VMs

PLAY RECAP *************************************************************************************************************************************************************************************************
172.0.1.100                : ok=159  changed=76   unreachable=0    failed=0   
172.0.1.101                : ok=101  changed=40   unreachable=0    failed=0   
172.0.1.102                : ok=97   changed=37   unreachable=0    failed=0   
localhost                  : ok=69   changed=47   unreachable=0    failed=0   


POST DEPLOY MESSAGE ****************************************************************************************************************************************************************************************

The Dashboard URL: https://172.0.1.100:8443, default username/password is admin/admin

Playbook run took 0 days, 0 hours, 23 minutes, 56 seconds

We can now access the ICP cluster’s web console from the host machine via this link https://172.0.1.100:8443 using the default credentials.

The happy login screen of IBM Cloud Private

Once logged in, navigate to Catalog link to see the charts, services that can help us to start building our apps.

Catalog screen of the deployed IBM Cloud Private

In next posts, I will discuss how to deploy workloads on IBM Cloud Private. Stay turned.

Mobile nowadays has become more front and center in the enterprise landscape. It is both directly and indirectly creating new revenue or strengthening the existing revenue streams. Companies that listen and respond properly to mobile trends can win competitive advantages. Is your organization mobile ready

Here are five key questions to ask as you prepare for your company to go mobile.

1. Is your business model mobile ready?

It’s apparent that mobile is now everywhere and significantly changing the way businesses operate. It is considered to postdate the days of personal computers and is becoming the main tool of the business workforce. All stakeholders who are influencing your business, including customers, business partners and employees, are also profoundly being influenced by mobile technologies. They are going mobile. New work flows and connection patterns are being created among your business influencers. Customer demands are getting more sophisticated with all the mobile options, which may force your company to reexamine a lot of things, including its business model, to reposition where it is in the value chain. Revenue streams are shifting to where the mobile involvement is, and you have to refine your business model accordingly to keep your customer happy as well as catch new opportunities. Mobile is where the customers are, so that’s where you need to be.

2. Is your infrastructure mobile ready?

A research study from IBM states that 91 percent of mobile users always keep their mobile devices within a reachable distance. It implies that users want the ability to access applications and services everywhere, whenever they are needed and of course as quickly as possible. This challenges your infrastructure in terms of availability, performance and responsiveness to the explosive number of requests.

The wide adoption of mobile devices also challenges your current system’s architecture. Technically, services that have been exposed outside of the enterprise might not be suitable for mobile requests because in responding to the requests from a mobile environment, which is typically limited in computing resources, the data being transferred back should be lightweight enough that it can be effectively consumed by mobile applications to provide the expected user experience.

Additionally, the diversity of mobile platforms that involve platform owners in operating some useful services (for example C2DM or APNS, the users’ service providers and so forth) would require your enterprise system to be adapted to interact with those external systems effectively and securely.

3. Have you considered security?

Security has always been a big concern when enabling an enterprise to go mobile. Controlling security for mobile is getting more and more challenging due to the natural portability of the mobile environment as well as the constantly growing diversity of mobile platforms and mobile applications. It consequently requires an efficient approach from the strategic level with clearly defined mobile use cases in the business context. This in turn helps the enterprise to build up a comprehensive mobile security policy to more detailed levels, like how to use technologies for implementing the policy and how to make mobile users aware of security threats and regularly educate them to follow security practices to protect themselves and the corporation. That circle from strategy to policy to technology and education should incrementally, iteratively evolve to keep your security strategy up to date and ensure that it reflects your business needs.

4. Is your design approach and concept mobile adequate?

Mobile devices are typically made with smaller screens and are several times less powerful than desktop computers in terms of computing resources, yet the activities performed on mobile require a sense of immediacy. They tend to be tactical in nature. As a result, the interaction flow between the user and the mobile application requires a completely new user experience design mindset. Data presented on mobile needs to be somehow contextualized and condensed to convey as much information as possible and to best utilize less network bandwidth and hardware resources. There is no room for redundancy. Information and an application’s features need to be progressively, selectively displayed.

Design approaches applied for desktop are consequently inadequate for the mobile environment, not only from the user interface perspective but also from code design since the same code would not run on mobile as effectively as on desktop. It needs to be leaner.

Mobile is becoming mainstream in the workforce, and a mobile application is no longer simply a smaller, zoomed-in version of your desktop application. Applying an appropriate design mindset will make your mobile application, the heart of your mobile business model, more attractive to help you meet user expectations and gain a competitive advantage.

5. Is your application development process mobile suitable?

Mobile devices and platforms evolve rapidly, and your app consequently needs to adapt quickly to those changes in order to continuously gain user satisfaction. In other words, mobile apps are written, used and replaced at a much higher rate than traditional enterprise apps. That requires your development process to be refined so that your app will be iteratively delivered more quickly without sacrificing quality.

Additionally, mobile user expectations are very high, yet loyalty is low. They will easily forget your app if they cannot find what they need on the very first try on their tiny mobile devices. In order to continuously make sure your app satisfies its users and keeps them using the apps, you need to get them involved in the development of the apps earlier, interact with them more frequently to get feedback and then meet their expectations promptly—period.

Category: Security

Put IBM Cloud Private into your … laptop