CLOUD TRAINING PART 2

OS management Service: OSMS

Two main characteristics:

1. Patch management
2. Package management

Patch management means the patching support, the PSUs and other Infra and Grid
Patching.
Package management means the generalized OS package maintenance updations etc.

In addition to the Oracle OS Management service (OSMS), within the same tool, it
also provides a lookup tool for common vulnerabilities and exposures.
CVE Lookup tool. (only for oracle linux OS oel)

===================================================================================
============================================

##CLOUD STORAGE:

Features --- > Persistance (Intigrity of stored content)

--- > Durability (Redundancy)

Storage Models:

---> Local NVMe. In this you have a Availability Domain (Virtual DC) and
within this you have Compute instance and the Storage disks are locally stored in
the same AD.
---> Block storage. You store the disks remotely in the AD and the storage is
mounted in block format.
Block format meaning >>> You create a disk partition, format it
in fixed block size then mount it and then create files over it.
---> File storage. This is similar to block storage but these are shared
accross multiple compute instances.
In this case you do not perform partitioning however you will still
mount the storage and manage as files.
---> Object storage. These are used to store Videos,Pictures,etc

Migration Technologies.
1. Data transfer Disk --> We send the disks to Oracle and the
migration is taken care.
2. Data transfer Appliance-> We use combination of multiple ETL
applications and integrate (Overall called as "much Larger Appliance") to perform
migration.
3. Storage gateway --> You install a Oracle Linux based
application on your Legacy datacenter. And then the migration is taken care.

===================================================================================
===========================
##OBJECT STORAGE:

The object storage are suitable for semi structured data mainly --> Hadoop /
Bigdata / Spark / (Video/multimedia etc).

Now these data are stored in the Cloud and can be accessed using a API.
API is nothing but a URL which is created by using a combination of few information
based on where that particular object is stored.
-Namespace(n)
-Bucket(b)
-Object(o)

and Region as well(sanjose).

eg: https://object-storage.us-sanjose-1.oraclecloud.com/n/initoraclerohit/b/
developement/o/log.zip

## TEIR in OBJECT STORAGE

Standard Tier (readily available)

Archive Tier (requires 1 hr to be made available and post which you need to
download the content to standard tier before use)
Infrequent access Tier (this is mainly to be used for backups etc, basically the
data that is important but need not be accessed frequently)
This tier is 6* cheaper but however an additional charge will be
implemented when the request is made to access this storage (pay per use).

There is a feature called AUTO TIERING: In this, the Tiering is taken care
automatically and the data will be shufled between standard and infrequent access
tier automatically.

#Features
Storage can be encrypted too.
Storage can be versioned, different versions of data can be requested.
Storage can be classified or automatated to be moved to different tier after so and
so days. This is called object lifecycle management.

Note: There is an option called "Emit Object Events" in the buckets tab where we
can create few notifications/automated alerts for events related to Object storage.
-----------------------------------------------------------------------------------
-----------------------------
## DEMO

In the below lines we are observing two API URLs one with a pre-authenticated token
and one without.
The pre-authenticated token is needed for the buckets that are marked as private to
provide exclusive access to that particular object.

https://objectstorage.ap-mumbai-1.oraclecloud.com/p/Qk-
P_PwKa6JkQpLDVWS1U7WOuhNzW97KyG_Nr6eZc-D2TKUYMmdyjdHCNz50z7fN/n/bm9evt4r76ws/b/
bucket-20220309-1427/o/Image-Deriskimage-048.webp
https://objectstorage.ap-mumbai-1.oraclecloud.com/n/bm9evt4r76ws/b/bucket-20220309-
1427/o/Image-Deriskimage-048.webp

From the Demo what I have learnt is that the versions will be created once you
upload a file with the same name again.
The previous one is by default overwritten and is named as previous version.

If you see the two lines above, you will see that the Files that are uploaded are
marked with something called as version id.

Note:
The last uploaded file is called as latest version.
If I delete some file then a delete marker is added to the objects version
list as well.
===================================================================================
=============================

## BLOCK STORAGE

In Block storage we store the data on a network connected storage. The collective
disks are connected together over the network known as Block storage.
We can create/attach/remove/detach disks on the fly. Multiple copies; just like
ASM; are maintained to ensure data durability.

TIERS in Block storage

Basic 2IOPS/GB
Balanced
Higher Performance
Ultra Higher Performance 90-225IOPS/GBB

Features of Block Storage

The Disks can be shared between multiple VMs
The data is encrypted on the storage and in transit as well
The Resizing of Block Volumes is possible.
The Replication of Block Volumes among different DCs
The Block volumes can be grouped together to create a Volume Group.

NOTE: Use the command $lsblk to show all the block devices attached to that compute
instance.

===================================================================================
===============================

## FILE STORAGE

In the File Storage we have named structure in a hierarchy. Simple shabdo me daily
hum jo use karte hai woh folder k andar folder. eg:/etc/oracle/opr etc etc

Now, in cloud environment we have these in Distributed file system format.

- Linux (Network file System NFS)

- Windows (SMB - Server Messaging block)

Not explained in detail in this training.

===================================================================================
===============================
===================================================================================
===============================

### DATABASE OPTIONS IN OCI:

Standalone databases on VM and Bare Metals.

--------|-- Within this standalone databases can be provisioned using Logical
Volume managers using FAST PROVISIONONG feature (This uses ASM too in background).

Two node RAC database system.

Exadata Cloud service system.

Autonomous Databases (Shared and dedicated). These autonomous databases provide two
types of workloads ADW(data warehousing) and ATP(transaction processing).

$NOTE : When we create an autonomous Database, It automatically creates 3 Services

for DB connectivity, Each with no to high parallelism and Queuing ability.
high: A high priority application connection service for reporting and batch
operations. All operations run in parallel and are subject to queuing.
(orcldbtst_high)
medium: A typical application connection service for reporting and batch
operations. All operations run in parallel and are subject to queuing.
(orcldbtst_medium)
low: A lowest priority application connection service for reporting or batch
processing operations. This connection service does not run with parallelism.
(orcldbtst_low)

-----------------------------------------------------------------------------------
--------------------------------

##MYSQL DATABASE SERVICE:

Its simple to configure a database on OCI with mysql. Easy provisioning.

It provides a HA option where 3 instances run for one mysql database. This config
the database automatically failsover to other surviving node in case of DB/Infra
failure.

It also provides a option to use MYSQL with HEATWAVE. This heatwave is for OLTP and
OLAP analytics working on same MySQL database with 400 times better performance
with MySQL.

### SECURIY ###

The OCI security follows a shared security model. Meaning--> Some resources are
managed by Oracle and some are managed by the vendor.

To ensure security at various levels, the OCI provides a vast array of

tools/features.

# Cloud Guard:
Using cloud guard we can detect an problem on specific targets and automate the
resolution as well (if possible).
TARGET ---> DETECTORS ---> PROBLEMS ---> RESPONDERS

===================================================================================
=================================================================***

### ORACLE VAULT SERVICE:

So basically hota aisa hai k encryption and decryption k liye keys lagti hai and
encryption algo.
Ab ye algo decide karta hai k encryption and decryption k liye kis type ka keys use
karna chahiye.
- Ek type hota hai same key used for decyrption that's used for encryption.
(AES)
- Public key se encrypt karo and private key se decrypt. Basically do alag
alag keys use kiye jaye. (RSA)
- ECCDSA - ye basically signing k liye use hota hai and not for any other
data encryption.

So now this entire zol zamata and key management can be done at software level or
can be managed using a H/W solution.
S/W based approach me aisa hota hai ki server pe keys ko store and use karna padta
hai which can be more insecure.
H/W based apprach me ek alag management server hoga who will take care of storing
all these Keys and it himself will operate using a Master Key.
Yahi H/W based encryption use hota hai ORACLE OCI vault service me.

So now :-

Vault me hota aisa hai k :

Envelop encryption hota hai. Sidhi bhasha me 2 - TIER hierarchy for keys.

1. Key vault stores the master key within itself

2. This master key encrypts the data keys. Data keys being the actual
keys that are used to encrypt the data.

How this works ?

Abhi hota yun hai k jabhibhi data bucket ya koi bhi OCI storage me hum kuch bhi
store karte hai, tab object storage service internally vault service ko call karti
hai.
Abhi ye vault service ko bolti hai k bhai mereko ek encryption key dede.
Vault service kya karta hai k ek naya data key generate karta hai for that object
and sotrage service ko send karta hai.
Mahol ye hai ki woh same data key do format me send karta hai. Ek Normal data key
and ek encrypted data key.

Object storage normal data key ko use kar k encryption thok deta hai and encrypted
object store kar leta hai. And normal data key uda deta hai. (Ab isko decrypt kaisa
karneka
storage ko nahi pata,Gabbar:- kisi ko nahi pata !!! haha ha ha)

Now, next time when there is a request to read this data, object service wapas
vault service k paas jaati hai, bolti hai bhaisahab yelo encrypted data key.
Usko dekh k corresponding normal/decrypted data key wapas bheji jati hai object
storage ko.

Then object storage usko use karke data decrypt karta hai and read request serve
karta hai. Once request is complete, the normal data key is again thrown away.

This is how the mechanism works. Ab aage:

The important VERY VERY IMP point in this is that the master key has to be
safegauarded very securely. Coz if that's lost then the vault is lost. And once the
vault is lost
all the dependent data which was encrypted using data keys from that vault is lost
forever. There is no way at all to recover the data.

The master keys can be secured in various ways, you can backup the master keys
periodically. You can use rotational master keys to be more secure.
While deleting a master key Oracle by itself preserves it for a period of 7 days so
that if you know Ohh motha fuka i fucked up. You can save your ass. :D
===================================================================================
=================================================================***

### BASTION SERVICE:

Bastion is a logical entity that provides secure ssh access to the DB session/Host.
So basically just like in our firewall where we use MAC address of Physical address
to authenticate connectivity.

Similar connectivity control is introduced to ssh Port 22 and Listener Port 1521
using Bastion service.
CIDR Block allow list / IAM integration control can be used to introduce this
access control using Bastion.

===========================================Security Module
end================================================================================
============

===========================================APP DEV Module

===================================================================================
============
### APP DEV INTRODUCTION:

Basically in the traditional monolithic module, we have a Client Tier ---> API
Tier ----> Middleware ---> Storage (SQL or NOSQL).

As opposed to this we have newer architectures based on particular component

[MICROSERVICES and EVENT DRIVEN ARCHITECTURE].
Meaning different structures for different component. No single point of failure
as such.

All in all this is the new way forward for applications to run on. We can design
the architecture such that the application work can be uncoupled and the underlying
resources can
be designed and made available on the work requirement basis. (Mere understanding k
hisab se, ek reporting ka app ka part k liye apan heavy resource infra khada kar
sakte, dusra
ekhada leave and HR k part k liye thoda weaker and light resource base
[infra,cpu,etc] khada kar sakte. And decoupled hone k karan single point of failure
nahi hai and dependancy nahi]

Pillars of the EVENT driven/ MICROSERVICES architecture.

- Infrastructure as code. [Terraform]
- Container based deployments.[Docker images and Containers on Kubernets PODS]
- Access to services.

OCI developer Offerings to implement this architecture:

1. Resource Manager (ORM) [Terraform resource as code]

2. Functions [Serverless option]
3. OKE Oracle Kubernetes Engine [ ?? I guess automatic VM provisioning ??]
4. Container registry
5. API Gateway.

## 1. Resource Manager (ORM):

In this we write infra components in the form of code. By reading the
Code a plan is generated and accordingly the Infra is created.
 Using ORM we can scale the architecture, Maintain different versions of
Infra stack and also remove an entire stack at once.
eg: If we create a Kubernetes cluster, we can save it to OCI and save
it as a Stack (Distinct set of cloud recourses within an compartment is stack).

DEMO : In the demo we saw how a single zip file containing of multiple .tf
(terraform) files are used to create all the defined cloud resources at once.
The same is used for creating Job, Plan and Activate all the resources
like VPN , Compute Instances ,Load Balancer etc at once as one stack. Similarly all
can be destroyed with one click.

PLAN --> APPLY --> DESTROY

## 2. Functions as a Service (Functions):

So basically functions in the OCI are serverless offerings.
Meaning : The application/code is run as per usage. And the underlying
resources will be billed as per usage.
As there is no bonding to any particular VM or container
or Bare metal machine this pricing model is possible.

BARE METAL SERVERS ---> VIRTULAL MACHINES ---> CONTAINERS (OCI Concept)
---> Functions

DEMO : In the Demo I could see that the function was defined and deployed on the go
and there was no clue so as to which hardware was used to run it. It simply gave
the results.
First run is slower(cold run/cold start) and subsequent runs are
faster(warm/hot run). So that's it. That's what they call functions I do not get
the practical use for this feature.

## 3. OKE (Oracle Container Engine for Kubernetes)

Gyan : Container model kya hai. So VM me kaisa hota tha k do alag alag VM k do alag
alag OS/Kernels rehte the, unke seperate capability hoti thi.
So physical H/W bhalehi shared ho VMs still had there segregations and when
one VM is idle, the other VM could not exploit resources allotted to the idle VM.

Containers me kya hua k ye hardwired segregations hata kar the container

architecture was introduced where the Containers(previously called VMs) share same
kernel.
They have the ability to sneak in and better use the hardware runtime. The
applications and dependencies still maintain the level of segregation however
Kernels and the H/W are better utilized in shared model.

Also containers are portable, you can write once and then deploy anywhere easily.

Kubernetes: Its an open source system for deployment, scaling and managing
container based applications.

Kubernetes clustur is a group of nodes (Nodes boletoh VMs or Physical machines.)

Now these nodes together is called a Kubernetes cluster. Some nodes are worker
nodes and others are
Control plane nodes.
Worker nodes are the ones that actually contain the containers. Logically when
multiple such containers are grouped from same nodes they are called pods.
Every pod has it's own networking and storage structure which is common for the
containers within that pod.
If there are pods on different nodes but providing same functionality these can be
grouped as a service.
OKE that is Oracle Engine for Kubernetes ka mahol ye hai k Entire kubernetes
clusters can be scalled horizontally (more nodes) and vertically (more resources).
OKE also provides additional feature of automatic Upgrades for Cluster nodes.
OKE also has Self healing cluster nodes. Meaning if there is any node failure then
the container engine automatically provisions new nodes to maintain cluster
availablilty.

OKE has no additional fees.

#4 OCIR

Upload images and update anywhere on cloud.

Using standard docker CLI or Docker interface you can pull images from repositories
and do the deployments.
It works with OKE repository or Online registery etc.

#5 API Gateway.

Whats API: Traditional API (SDK) // or WEB API (OCI API)-> For eg: RESTAPIs.
Overall API from my understanding is a channel or a way to interact with DB and APP
over network.

RESTfullAPI talk to the micro services via a Gateway instead of directly

communicating.
This is API Gateway.
The gateway takes the request from the clients and applies a set of rules and
decides if the call/resquest should pass through.

API never run on a gateway. Gateway provides an end point to access that API. The
endpoint is available on the Gateway.