Hands-On Workshop with Cloud.gov
Articles,  Blog

Hands-On Workshop with Cloud.gov

good morning welcome to our hands-on
workshop with platicas my name is Sean candle and I’m the director of cloud
backup here at the end the General Services Administration we’ve got a
pretty wonderful workshop planned for you today and I hope all of you will
have fun peter is is going to go into lots of
detail but I wanted to introduce clubs dog to you at a very high level to just
start off the morning so our mission that climate gun is to allow other
federal agencies to host to quickly host an update modern web applications right
clonic of his offer there’s a shared service from the General Services
Administration and we want agencies to be able to do this without having to
duplicate common infrastructure and security compliance work right what we
see across the federal government is every agency is doing similar things
when they want to host their application that’s right
they are building similar hardware and software stacks they’re doing that and
their data centers they’re doing that when they move to infrastructure as a
service such as Amazon Web Services or Microsoft Azure or Google and you know
regardless of application you’re trying to run them and what your exact
technology stack is it’s all very pretty much the same right you’re gonna put
machines in your data center you can put an operating system on them you might
run a database on them you do a lot of security configuration you do a lot of
networking configuration and then you load in that sort of an application
environment and then finally you run the application on top that you actually
care about the applications the PC care about the rest of it is just scaffolding
or infrastructure right and across the federal government we see this over and
over again which is one of the reasons we have a
shared service to like bring those things into one spot
the other thing we also see across the federal government is lengthy security
compliance processes right how many of you in the room are familiar with the
ATO process the fair number hand so the ATO processes is sort of the the
authorization process that allows the government to run applications right
regardless of how long it takes you to run your application
the ATO process can take somewhere between nine and 24 months right that’s
a long time between an idea developing the idea and then finally going out to
market with the idea right to serve your constituents so that’s one of the other
things we see and then finally a lot of across a lot of agencies we see that
it’s hard to hire for cloud operations expertise as well right each agency’s
wanting to hire decent-sized teams this is not completely simple so our answer
to some of those problems is to was to build clogged of at 18f we first built
clock by kafir for ourselves because as our teams went out and worked with other
agency partners that we found that we were doing a lot of that infrastructure
security compliance work over and over again and particularly each team would
have to learn how to do that but by building a platform as a service we were
able to sort of centralize that and then finally we got good enough at it that we
decided to offer it as a shared service to the rest of the federal government pictures talk about a lot of this but
private office is based on an open source project called cloud foundry they
is built on top of Amazon Web Services gov cloud and the thing we do on top of
that is we do a lot of baked in federal security compliance right so I will not
be that he’s getting a much better job of it one of the important things with
with clever gov is that it has a FedRAMP joint authorization board provisional
ATO at the moderate impact level that means he can run moderate
and FISMA moderate interest mellow applications in the cloud gov and what
this enables you to do is sort of review the authorizations for Classica that you
only assess your own application right so this hopefully makes your ATO process
a little bit shorter because you’re not reviewing your infrastructure stack so
in most FISMA moderate applications they’re roughly three hundred and twenty
five security controls that you have to take care of karamakov takes care of two
hundred and sixty nine of those controls that’s roughly eighty percent and forty
one of those controls are shared and then fifteen of those controls are our
customer responsibility themselves and Peter will go into some examples of
those if you run on infrastructure as a service like Amazon Web Services for
example you would inherit 50 for only 50 for controls and we inherit those too
it’s just we add a whole lot of controls we manage a lot of controls on top we’ve
got a number of of agency customers there’s two I love to talk about the
Federal Election Commission and the Federal Deposit Insurance Corporation
both run their main agency websites on Claddagh gov and the both of those are
great partners of ours we also run websites for the Department
of Education the Department of the Interior and then ATF Department of
Justice FBI and the Executive Office of the President in terms of pricing Claddagh gov has two
components one as an annual access deeper system that ranges from ten
thousand to nine thousand dollars a year depending on the FISMA classification of
your system and then there’s resource usage for a
year depending on the type of website that you have and that can range from as
low as a thousand to five thousand to 40,000 for those really monster websites
that are doing a lot of calculation and then to buy Claud that God is a pretty
simple process we use the standard interagency agreement process and it
takes roughly about four weeks to set up typically the types of ayase we sign are
for 12 months so I don’t want to keep you from the workshop I have two rules
I’d like you to follow the first rule is please ask lots of questions the second
rule is please try and have some fun and I’ll be around in the back of the room
if you want to talk about how Claude to govern your agency can partner but I’m
gonna hand over to Peter thanks for Sean well good morning and thanks for that an
introduction and I’m glad to see all your smiling faces here and I presume
wherever you are online hope you’re smiling also I’m Peter Burke holder I am
a platform engineer in custom engineer with cloud gov and I’m also here with
today is James Scott who’s also in the customer squad who will help helping out
online and in-person quick order of business the general outline for the day
is that we got our welcome I’m going to give a 20 30 minute overview of what
cloud gov does so that it will illuminate what we’re doing during the
hands-on workshop and we’ll do the hands-on workshop there’ll be a natural
break where I want people to catch up if something has proved to be a little
challenging you need to catch up with the rest of the group after that we’ll
have a will slack from federalists discuss how they’ve used cloud gov Genet
enable agencies to host their websites and then we’ll do the second half of the
workshop and a dedicated time for Q&A at the bottom of the page here I concluded
a link to the github site where all of these materials are and during the
hands-on portion you know in addition you’ll want to
follow the relevant slides so you can copy and paste the commands from those
into your command line and that particular URL you don’t need to write
it down it’s going to be at the bottom with every slide when we get to the
hands-on portion so I’m gonna launch into my thesis station thesis which is
that I want you to use cloud gov and therefore for reasons that motivate me
to work for cloud gov and to bring this to the federal government and the
American people and I want them to be your passion too the first is that cloud
gov enables a focus on mission like nothing else available to the federal
government and at a total cost of ownership that is below modes of not any
other option focused on mission and a focus on eliminating the long lead times
that we become far too accustomed to in building and provisioning federal IT
services since 2009 I’ve been a student and advocate student of an advocate for
the DevOps movement which is the idea from the private sector that we need to
shorten the lead time from aha to caching well there’s no catching as
such in the in our work but there is mission realization and the main tenets
of the DevOps movement is that we need to bring development processes to
operations teams such as using version control testing and automation to their
work and we need to bring operational awareness to developers and engineers so
when they’re coding they’re not thinking about they are thinking about how does
this scale how is it monitored how do I get logs back and how do i engineer real
viability more importantly this cuts across teams and by breaking down silos
between development operations security and QA not only do you move faster but
by continually release in small well pestered batches you have
better reliability and better security and this has been very welcome it’s
traded in numerous surveys of practice and most importantly to me it makes for
more sane and humane workplace when people can work office hours instead of
staying up late for heroic releases so focus on mission eliminate long lead
times and provide stewardship of tax dollars
there’s about 85 billion dollars a year in civilian IT spend and only 8.2
percent of that is classified as provision or cloud services that it is
actually reusing a system that someone else has built we are not seeing a whole
lot of value from Brad and particularly with the prospect of cuts in particular
programs there’s really a time to focus on how to get the best value out of that
dollar and provide the best stewardship of taxpayer money and lastly it’s a
patriotism that we should provide great public services that are easy to use
that are responsive and that are updated to suit changing needs and to be an
example to the world what we have built in cloud gov is open source and we have
already seen our work picked up by the UK office of digital services in
Australia as well as federal and our state and local governments and this is
something that is a benefit more broadly as well as us being able to pull back
some of their contributions in so how does project code view this well let’s
think we do this by thinking about your mission the mission that you might have
at your particular agency that you have a goal to serve for an example if you’re
with perhaps FEMA HUD or VA you may be thinking a lot these days
about housing for disaster victims how do you match up need for housing
with available housing at this point you may already have a team eager to get to
work some mix of project managers of product managers designers and engineers
and developers operations and security what are they going to need to actually
realize this mission it’s a platform where they can build the service where
they can test it and they can run it now when I say a platform there’s a number
of different components that make up a platform where you can build test and
run an IT service you have a technology stack say a web server like nginx or I
is an application server like JBoss or Python Django a database Oracle Postgres
sequel server you may need something like a cache to store results so they
can be served more quickly or an index of documents in addition to that stack
existing it exists not just once but in multiple places how do your folks do
their local development is your development environment where people see
this in in development for the first time in a shared environment can that be
replicated in testing pre-production and production how do you manage your users
within these environments who has the ability to manage other users who has
the ability to create and delete and manage services within these
environments or who just has read-only access and on top of this how are the
operations managed day-to-day patching and vulnerability scanning gathering and
storing logs scaling out to a content delivery network and assuring high
availability this frankly at this point in time in 2017 should be considered a
commodity think your iPad or Android tablet you largely self-service those
systems you don’t go to the Genius Bar every time you need to update
the Wi-Fi or get new software they come with saying two faults they have vetted
applications from a marketplace they are regularly and continually patched which
you can deploy a high degree of confidence we have the bold notion that
we can treat much of the underlying platform as a self-service commodity
that is still performance and compliant and what this enables then over all but
then the cloud gov ecosystem is acquiring cloud gov within weeks get it
running within hours being able to build your service in a course of months and
see an authorization process that takes weeks a little bit about more about what
cloud gov is open-source built on Cloud Foundry which is the same platform that
is used by pivotal IBM Monsanto Ford it’s used widely in Japan both in open
source versions and in pivotal zermatt commercialized version it’s built atop
Amazon Web Services gov cloud which is it has a federal ATO through FedRAMP
it’s available to departments and agencies by ia a cloud gov has a
moderate risk creating authorization equivalent to just a level two and it’s
run by GSA technology transformation services with staffing by eighteen out
as a cost recoverable service now when I say that we’re using platform as a
service that means it’s a pre built environment ready to deploy your
application and your developers and engineers can focus on mission needs and
these resources underlying the platform of managed by dedicated operations team
operating systems databases audit trails so on the right side of the slide here
we have the typical breakdown of what you know it’s a platform as a service
infrastructure as a service and data center with the
layers of infrastructure need to support that if you’re in a physical data center
you’re responsible for everything from the concrete pad on up
fire suppression power cooling the hardware the racks the servers cabling
the routers and then the platform what operating system are you running how is
it patched what database services are you running etc and only then can you
focus on the actual mission need of running the application what we see
abroad moved towards in governments and in private industry in moving to the
cloud is focused on infrastructure as a service and automation infrastructure as
code and I came to Federal service from chef software based out of Seattle where
we along with ansible and puppet and others provide automation software and
what I found over and over again was that focusing an infrastructure that as
a service and infrastructure is code is a great investment but it often often
leads to relitigated the 30 years of decisions that went into how you built
your data center in the first place and so organizations get stuck there and
beam while the project managers and the developers are saying please just give
me an app sailor or in a database and let us get to work this is the problem
that cloud gov tries to solve by making it easy to get to launch no three stages
need to get to go go through to actually launch one is to procure your your
platform need to implement your application or customize that cops
off-the-shelf application and then you need to get it authorized and let’s walk
through the steps that are involved in doing that with cloud gov procurement we
make things simple even before you procure anything
because agencies have the ability to get sandbox accounts before you’ve even
procured anything you can come into cloud gov with your sandbox account
which will be using the hands-on portion run applications that have less than one
gigabyte of memory connect to the free database tiers and other services and
get to work the iaa process as shashank mentioned takes weeks instead of months
and then we have transparent pricing which is essentially the risk that we’re
assuming modified by the complexity of the application so a trivial application
in a prototype package twenty thousand a year a more complex application at a
FISMA moderate 110 thousand a year and here’s a recapitulation of the chart
that Shashank showed earlier so that’s procurement so the question
was is this pricing refer to one application and it would refer to one
system which may have multiple components so when will slack introduces
federalists we’ll see that there are multiple there are at least two web apps
and several different worker tiers and storage but since it is funded as one
system then it’s priced out as a service as one system yeah oh sorry I should say
when months is or years of what it would take to do a full procurement in an open
bid and and then riaa process on our side it takes about four weeks because
we’ve highly optimized every single step there whether it takes longer than that
on your side that’s on your side so now let’s get into the implementation
you need to make sure that you have users assigned to spaces or environments
with particular roles you want to work on your application and you need
services for those applications to store data or interconnect with each other on
the user side users need to authenticate and I need to have authorization to do
certain things the authentication can use either your
agency’s identity provider as we’ve already set up for FDIC GSA EPA and have
in process for FEC and then all of the authorization roles are stored within
cloud gov and this is broken down into tipic into stock cloud foundry roles
where either your manager you can control other people’s roles a developer
who can create manager resources or an auditor who has read-only access those
can either apply to the entire organization which would map to a
project or program or it can be mapped to just a single space whether that’s a
development space or production space for example the breakdown is at that an
organization has multiple users with a permissions table within the
organization there are multiple spaces that users have roles within and then a
single space will have its own apps and services and those are distinct from the
applications and services running in other spaces so you can call an
application the same name in both spaces and they won’t interfere with each other
so this next slide is what you see when you go to Amazon and start to configure
default roles for a member of your organization there are hundreds of
default goals and probably an infinite number once you start tuning them
because we’ve built cloud gov with saying insta
pure defaults on top of Cloud Foundry the similar dashboard and our manager
interface is simply a matrix of users and whether their manager auditor or
developer what this looks like on a command line if you wanted to put
commands into a text file to recreate your entire project someplace else
because we’re going to be doing some of these commands in a few minutes is we
create I as a manager create three different spaces development stage and
production and then I assign particular roles to users so Peter B as a
development gets to be a developer but in the production space I only get to be
an auditor what we’ve just done here is we’ve stepped onto a time machine we
have in a matter of weeks potentially procured platform to run our application
and we have already implemented users with authentication that have roles and
dev tests and product environments they can get to work this is a process that I
have seen take months when you’re starting afresh with hardware or in
infrastructure as a service as you determine how do people connect how do
they authenticate what do we build how do we replicate those builds how do we
make sure people have access to the right things and it can once you’re
ready to go take minutes with a platform as a service developers can get to work
just as a quick example here the five commands a Python developer would need
to push a sample application open it up in a web browser see that it works and
scale it up to four copies speaking of Python what languages and services are
available in detail in cloud gov which is that we fully support with what
are called build packs are these nine Java Ruby node Go Python and PHP and
dotnet get the get the most years the dotnet is Microsoft’s open source
version with dotnet core 2o has a potential support a lot of Windows
applications that we couldn’t support natively before it’s we’re excited about
that development the code that you write in these languages then have a number of
back-end services that we provide natively
in in cloud gov databases are through Amazon to relational database services
you support the two Postgres and my sequel and I’ve recently added support
for Oracle and you’ve spent a Oracle it is with AWS is Amazon’s pay-as-you-go
license things don’t have to worry about brokering a license deal with Oracle to
start using it the databases are configured to encrypt at rest and you
can only connect to them from within cloud gov again more the same defaults architecture binary storage with Amazon
s3 similar to measures blobstore you can host any domain in cloud gov and we also
tie into the cloud front content delivery network so you have all of your
static content stored at edge nodes across the internet so you have very
fast load times for your customers we have Redis an elastic search for
providing data structure stores and full-text search and you can friend PI
back into crowd californication by by providing a provisioning of service for
that and can provision service accounts if you want to tie in your releases to a
continuous integration and continuous delivery system and yeah and back yeah the most the
pricing for cloud gov is frankly around our overhead and and staffing and so we
price that within the complexity because we might have to bump the some of those
prices if you want to run the largest database size of Oracle for example the
question was how do we price some of those services and is there not
pay-as-you-go they are for us but not for you operationally we make sure that all the
logs come in from application are gathered stored and then available
through an indexing system you can also we’ll look at that during the hands-on
portion we can also stream them back to an on-premise log store if that’s your
preference and you can connect to their various ways to diagnose and your
application if you want to track down any bugs one of them being SS aging
getting a session on to the short-lived application containers both that’s a
picture mint and the implementation how do we go how do you go about getting
this authorized and this is where the stack of paperwork comes in of course we
have the ATO process and so your CIO needs to sign off and accepting the risk
posed by your application whether that’s high moderate or low depending on the
damage if either the confidentiality integrity or availability that
application is compromised of course we follow the controls laid down by NIST
853 sheshank laid out earlier well let’s
look at think about how those controls fall into different realms if you’re
running a data son you’re gonna be responsible for moderate output FISMA
level application for all 325 including such things as who are your security
guards physical environment control 3 what’s your process for wiping just
clean media protection control 6 if you’re using an is service like
Microsoft Azure or Amazon AWS you inherit roughly eighty eight of those
controls you’re still going to be responsible for 237 such as what happens
to your system logs audit control twelve what’s receiving how is a kernel and
operating system patching taken care of system integrity control to the cloud
dog model for a simple application running thin cloud gov for at a moderate
FISMA level is that two hundred and sixty nine of those are handled by God
not just eighty eight there are 41 that are shared information spillage is one
example another point would be audit six that
there’s an audit review and analysis process so cloud gov provides the
built-in logging feature but it’s upon the customer to review and analyze their
own logs and then you would be fully responsible for fifteen of those such as
verifying the credentials of the people who are working with you this is what enables much faster Atos
you have 15 controls that you’re fully responsible for and then the other 41
shared and then 269 that you can inherit if your application domain has not
changed the parameters on which you’re being assessed plus as we noted before
we provide simplicity and secure defaults the s3 bucket we mentioned
earlier there are a number of new muris ways to configure those if you have the
full Amazon API at your disposal but we just say either their basic or their
basic public if you want to make assets available to people using your site more
broadly we want to enhance compliance and security across the government by
reducing the amount of shadow IT by enabling the self-service so we have
fewer servers in the closet or today what people called credit-card cloud how
much as your Amazon can you put on your peak art and then we take our
responsibilities very seriously in terms of patching a example is that in June
there was this potential kernel exploit and Linux called the stack clash the
standard is to patch those vulnerabilities within 30 days we had it
out we have most patches like this out within 24 hours of release and this one
we had without within 13 hours which is largely the amount of time that it takes
to rotate across all our machines and that is done without any customer
visible downtime because the containers move from machine to machine as they
become available so we’ve gotten the three stages of procurement
implementation and authorization if there is something that you need for
your IT system that’s not yet in cloud gov it might very well be in our roadmap
some of the things we’re working on currently is tick ingress control
meaning that if your agency employees and contractors have to come through the
VPN to get out to cloud services we would validate that for a particular
agency they’re only coming from the white listed addresses that are
associated with your agency we’re gonna work on enhancing our cloud gov login to
use pivot cards instead of just in addition to as an option instead of
using tokens on your smartphone the containers that are running in cloud
backup or already have a lot of default permissions removed but we’re going to
do scanning on top of that so if they start behaving in a way that’s not in
accordance with the profiler it’d be flagged and terminated persistent file
storage would provide Network shared file sort but your application needs
that your state the ability if you need to provision something outside of our
standard provisioning service through AWS and we want to provide a built-in
CIC G service these are things that we’re looking at in the next one two
possibly three quarters for the CIC G service as we figure out what to build
and how yeah yeah I mean we’ll talk to me and James during break okay the
question was about CIC D and or email cloud governed queries so there’s a lot
to be said there so we’re um step back to the mission which wasn’t
just a supposition now but it is realized you have your team that is able
to get to work on a platform where they can build test and run I’m just gonna
scroll back here to slide five which is that everything I’ve listed on
this slide thus packed the environments the user
management and the operations are all included in what we provide with cloud
gov and that is the promise of working with us and we hope that provides a
compelling introduction to the hands-on portion before we move on to that are
there any questions yes yes I know this let me just finish one little
configuration step here okay it’s a little small I’m afraid but if you go to
UM it’s on the bottom of all these slides so go to github.com 18f CG
workshop the readme there will point you to the different slide decks that I’m
walking through they’re written in markdown so they’re easier to print and
it and to scroll through so these slides here for the next section of this of the
workshop is in file zero one slides setup MD and but yeah github.com 18f CG
workshop and if someone could type that into YouTube chat James then people can
can catch up are they any questions on YouTube chat there are look it looks like our
colleagues are answering them though James you can see anything there they
should repeat out to people let me know great thanks
so workshop why a workshop well getting your hands on is the best way to
demonstrate how people work at the Cloud Foundry workflow and to help understand
the architecture this is not a training course it’s more of an appetizer but it
should give you enough cloud God that you can use your sandbox account
effectively to start kicking the tires and I hope also enough cloud gothic will
continue to have more questions as you dig into what it can do and that you’ll
pursue it for your agency for most of this workshop I’m going to be moving
through the slides to a particular stopping point and then wait for all of
you to catch up instead of trying to go at your pace slide by slide the
exception is going to be some of these setup slides at the beginning and I’ve
structured this as a set of user stories as if we’re doing behavior driven
development I as a project manager or developer or CISO wants some hints are
the logistics of this workshop so I can participate effectively I suggest that
if you’re working on a small laptop screen that you have on one side your
PowerShell or I term window yeah if you’re working at home have YouTube live
in one corner and then the web page with these lab lab notes
jarl shown in the footer so you could follow along and copy/paste this is how
I had things set up when I was practicing these slides with get small a
laptop screen but we were notes down here in a terminal screen on the right
some of you are using Amazon workspaces because you can have systems available
to you that you run the cloud found retool I found is that use here
local Internet Explorer Firefox to follow along in YouTube and to read the
notes if you can download the Amazon workspaces client great but if you need
to use the web client through Firefox or Chrome it does work and I uh this for
those of you were using workspaces you should have got an invitation
this runs by really fast click through on it create a password and authorize
yourself when you get in if you have if you have to use web access to do that
make sure that the registration code matches what you are sent and then once
you enter your credentials the workspace you have should already have a link a I
cannot about autumn for PowerShell open that up size it down to one half of the
screen and then slide the whole browser over so you have again the terminal on
the right and your web browser is over on the left don’t need to see that again see me have
that set up let’s cover account creation how many people here already have
clogged of accounts okay the majority so I’m gonna go through this though for
those of you who don’t because it was a significant minority this assumes you
don’t already have an account with the GSA EPA or the FDIC if you already have
an account make sure you can go to dashboard hard at cloud gov and your
login still works if you’re having a problem with your login operators are
standing by to help you if you don’t have an account you start at account dot
F our cloud gov slash sign up by the way the fr cents for FedRAMP before we got
FedRAMP we were just account cloud gov we need to move everything when you go
there you should have a screen to send yourself an invite and then you get a
confirmation the invitation has been sent when you get the email you can
click on the accept your invite link or copy and paste it as necessary and then
you can redeem your invitation create a password meeting the standard complexity
requirements and when your passwords match you can go ahead and click on the
button to create a cloud that does account verify your
walking by entering your email address and password again and and here’s we get
to a little bit of a stumbling block at this point you’ll be prompted to set up
your password your one-time password Authenticator on your on your smartphone
the way this works is you’ll meet that on your phone since we don’t yet have
pitcock enabled you can use on your phone Google Authenticator Microsoft
Authenticator aarathi depending what’s approved for your use or your preference
these slides show Google Authenticator search for it in the App Store and
install it open it on the main screen of Authenticator click on the plus button
to add a new one and then scan the barcode and this is where you point your
camera at that code that’s displayed on your web browser and your phone will
buzz saying that it’s gotten the the scan correctly it’ll display a one time
password for up to 60 seconds in this case for 60 7 8 10 you enter that on the
screen in the cloud I’ve got registration process click register do
it one more time to actually log in and then you should be able to get to the
dashboard if you’re from one of the five agencies that didn’t have a sandbox set
up prior you may need to rate wait 5 to 10 minutes to that actually gets
provisioned don’t worry about it you’ll be able to catch up by the time we get
to that later on if you do have your account already available you should now
see your organization’s within the dashboard and you can poke around in
there for those of you we have an account the process should
have looked something like this you’re going to dashboard gotta fart cloud gov
you’ll be prompted to agree to the Terms of Service your identity groups select
your identity provider which would be cloud gov unless your GSA EPA or FDIC login get the token off your phone and
enter the token and you should be in and I’m gonna pause here for a moment for
people to kind of nod if they’re able to get to dashboard on the dashboard not if
you’re there shake your head if you’re frustrated you’re online drop a message
into YouTube about what’s going what’s wrong if you’re really having problems
just we’ll try to handle those one-on-one during the break and we’ll
move on for the rest of you okay we have our log into cloud gov next
step in order to get working is to make sure we have the Cloud Foundry
command-line utility installed it can actually start deploying apps why well
the Cloud Foundry command-line interface this is the main way of interacting
really within cloud gov on a hour to hour basis it’s a multi-platform binary
written in go that lets you interact with the API that drives everything some
of our services are available through our dashboard primarily ones that may be
used by program managers who have less reason to use the command line interface
day by day and just need to come in and check on the status of things and make
sure that roles and permissions are correct or to remove someone from a
project pretty much everything else is going to be available through the
command line of course there are benefits to command line interfaces one
is that by expressing your intent as code you have greater ability to
automate by putting things in a text files with variables as needed you can
collaborate by sharing code even it’s just copying and pasting or looking at
other people’s examples hello server fault comm and of course it can
corroborate that the change you’re expressing in code is actually what
you’re wanting expresses your intent by using version control system so other
people can review your code before it goes into production so lab two let’s
install Cloud Foundry and actually use it to establish a session in your
terminal with cloud gov the crowd round releases are available for download on
github I’m gonna move through these slides the URLs are in your notes either
online or or in the printed version so go ahead and go there get the Installer
appropriate for your systems go through the installation steps I haven’t shown
those steps because they’re different for every platform I think most of you
installed software in your systems before if you’re on a Mac you can with
homebrew installed you can just do brew cask install cloud foundry dot dash cly
and if you’re using the remote workspaces Cloud Foundry is already
installed after the Installer has finished if you run the command CF you
should see a list of command options that looks like this see ya then you get
back the version number and you start getting a bunch of different options for
different commands that you can run it and I’ll wait here until folks until
most of you have Cloud Foundry running can you raise your hand here if you have
a the CF is working for you all right a few people still working on it raise
your handle bar just a little bit longer because if you already have it installed yeah I’m gonna move on with the login
and then we’ll take a somewhat longer break for the rest of you to catch up I’m going to show a short video here
because this is where I’ve seen some people get confused the login from the
command line is the command CF login – – SSO single sign-on and then – a and are
the URL for API you’re only gonna have to do this the first time you log in and
remembers your your API going forward to confirm you’ve logged in the CF orgs
command will list some of the organ is Asian so you have access to it might
only be one that’s okay okay the way the way I’ve structured this is that I get
to a point where I say further exploration so if things are working for
you you can continue poking around and then we’ll pause there and make sure
everyone else is caught up after you type that command you’re gonna get
echoed back to you get a one-time code at this particular URL you visit that
URL finish the login process to cloud gov and you get a one-time password that
you either type or copy back in let me just go ahead and play this but here I’m
typing the login command that says get a one-time code I copy that URL paste it
in to the browser and then I agree and continue do the cloud gov login enter
email address password and token then it displays a one-time password I copy that
from the browser and paste it into the terminal if you’re using the web browser
to access the Amazon workspaces remote station copy and paste doesn’t works
you’re gonna have to type the authentication code in if CF orgs if
you’re logged in when you type CF orgs you should get the name of at least your
sandbox account and I’m gonna pause here then on the further exploration page
everything’s working for you try some of these other things and poke around a bit
at what Cloud Foundry can do and let’s care of questions any questions here in
the room and this is section lab 2.2 you’re looking for the header okay other
questions so if you go to the dashboard and you see oh I don’t have it in this
slide deck um let me just see what’s happening for you good I forgot to mention but when you
enter your authentication code your terminal won’t echo it back so it looked
like nothing’s happening and so let’s go ahead and copy and paste
and then hit enter and it should actually pick it up and and yeah hit
return okay credentials were rejected so you
probably need to refresh this page and get a new authentication code and try
that one because it may have expired ah you’re good oh there’s not the question all right so if people are getting
credentials are rejected try again go back to the webpage that has your
temporary authentication in it and refresh it because you may have had it
they are for a longer than a minute in which case is expired so then you get a
new code you’ll copy that and paste it you won’t see the pass code visible when
you paste it in and and that’s okay okay and this is going to be the part of the
day that has the most hiccups contractor with USDA and I had a invite me but
should I be able to see the organization if you’re not getting anything for the
CF orgs command a type C F space target and it’ll show in this case that you are
connected as a user but because you used your in this case because you used your
calm email it’s refusing to create a space for you do you have a USDA email
address no that’s okay then you’re kind of at a rock for cloud gov okay you can
go to Ed little calm and create a free account there for Cloud Foundry and most
of the steps are the same okay all right is it possible to which is what I did
yeah so the question is if possible as a contractor with a.com address to still
use cloud gov and the answer is at this point state if you’re actually a
contractor with them they need to give you a
gun for dot Miller that you asked address okay if that’s at this point if
it’s like if you folks want to buy and you’re blocked by this will work it out
like save people at IT consulting calm can can get in so you’ve got so a user
here has gotten to the dashboard and so go back in the notes and follow the
steps to install the Cloud Foundry command line okay then
and if you can’t install it on your laptop then during the break we’ll
provisional workspace for you okay all right well at least you have Firefox
installed so that’ll work okay aside from the people who I know
are kind of stuck because they can’t install things is anyone else
struggling to get the Cloud Foundry orgs to display do you need help then okay
and folks remote I have no way of assessing where you are so I’m just
gonna have to go with what people have here in person to to reflect back okay this is moving at exactly the pace
I expected so that’s good all right now we got to do something for real on on
cloud gov starting the simple example of I want my agency’s website to be
accessible at a public URL so the American people can read it well we’re
not gonna we’re not gonna take over your agency’s URL this morning not quite yet
we’ll get there give us a few months but we’ll um we’ll get something displayed
at your name about a plug of now to do this we’ve been following along with
some of these notes that are in github we’re gonna download that repository so
you have the lab materials available on your laptop so we’ll get our lab
materials and then we’ll use the command Cloud Foundry push CF push to send the
files to cloud gov to package the site and start to serve it you don’t need get
installed because I know that was that hurdle for some of you so here are the
commands for either the Mac Linux shell or the Windows PowerShell in both cases
I mean assume they’re gonna install the workshop materials under your home
directory pick another directory and adjust the commands is necessary but
ceded your home directory for mac linux shell you’ll type this curl command to
download and save the file cgw step then you can unzip it and change directory to
that unzipped directory on PowerShell similar but you use the IWR command to
save the output file cgw zip get it from this bitly URL if you’re on the
workspaces you can use 7z extract unpack the zip file if you’re not you should be
able to use the extractor that’s bundled with your file explorer to do that to
check your work when you run the LS command in cgw workshop master you
should see something like this admin images the names of some of the lab
directories I’m going to move keep moving through these slides and then
we’ll leave wait for people but people kept up on the on the sea or on the
further exploration site when you’ve gotten that unpacked and moved into that
directory you will use the push command to say all the materials that are in
called that are in lab 2:03 site we’re going to push that up to cloud gov so
use this command here CF push – F give the path to the deployment descriptor as
it’s called or this site and then given your name unless your name my F name L
name B I don’t know Tim Harvey or or Tim Hays or or whatnot what happens when
you’re in CF pushes several things first the Cloud Foundry command line will put
the files that you have in that directory to cloud gov based on what’s
in your deployment manifest there’s in a staging process where something is where
an artifact is created that’s called a droplet and then when that’s executable
to just start do there’s running and a route is created to the app so this
steps here in a sequence diagram just to get a little bit of the flavor of the
Cloud Foundry internals the cloud god uses it’s a CF push you run CF push the
command line says okay I’m going to tell the cloud controller to create an app
the cloud controller stores information about
the app in the database the command line uploads the apps files in the cloud
controller stores those in a binary data store and then the command line says
start the app to the cloud controller the cloud controller first finds
available VMs in what’s called a staging cell the staging cell will bundle the
whole application when it’s done then the cloud controller will say start the
app to one of the production virtual machines should get the app from the
binary store then start running it and report the status that can take 10 40
seconds depending on the complexity of your app actually I should say you can
take 10 seconds to 5 minutes depending on how many build steps so if you’re
building something like Java but then within cloud gov you should see a when
you run the CF push command your results look something like this as creating app
a bunch of output at the very end it says here’s the URL and and at the very
end the state of the application you just pushed you can now try accessing
your site at HTTP F named L named app cloud gov and should just say hello Tov so when you can access your site you can
try the following steps what happens when use F HTTP how do you get info
about your app and so on but we’ll pause here at this slide and
we get everyone through the steps of downloading the labs and getting their
site actually running oh and also this is also the break time so everything’s
working for you you want to take a break we’ll be back in 10 to 15 minutes while
we get everyone else caught up to this point you hi I’m sorry not to update the slide
sooner we would be back at 10:30 ET so I’ll get that
I’ll get you the bill pack question in the next lab forward is here I need to Matt and that’s what did you get that yeah all right okay we’re back those of you who had
remote Amazon workspaces provisioned it seems
that your agency spam filters may have either blocked it the invite entirely or
sent it to spam do you look for something that has the word workspace in
it from about 10:30 last night if you didn’t get that at the next catch-up
break drop a message into YouTube chat and I will send you an invite to a
non-government account it’s still valid just sends you an email so you can
follow the link to finish the registration process and then I tear
down these workspaces at the end of the workshop now great we’ve got a static
site up what we want is a dynamic web app so that users can actually interact
with us this time we’ll use CF push again but
we’ll change to a different lab directory to stage and run a dynamic web
application and it also sees some what’s in the disappointment descriptor file
the manifest at yamo and the role that it plays which is what it does it
provides application metadata to Cloud Foundry and we use this to set non
default settings like maybe it doesn’t need a full 512 megabytes of RAM or a
full gigabyte of disk space allocated because for a workshop we don’t need
that much so we’ve specified specified lower values for that and and then there
are other things you command can specify such as particular routes or the
relationship between workers and web apps in this case Sinatra source a ruby
red web frame the framework the deployment process the same for any
language that is supported by Cloud Foundry but first let’s revisit what
happens when you run a CF push the same steps we had before but I’ve
updated it because now we’re sending app files up for the app in the staging
process we’re creating an executable artifact and all of the build
dependencies for your application that the runtimes need that the runtime needs
is frontals into the droplet and this is a job of the of the build pack and once
it’s running again a route is created to the app and the app starts on the
application host what build packs do is to facilitate craning a runnable
artifact called a droplet and that’s the combination of the application files
that you send up plus all the runtime dependencies that are needed to run
which then builds the app artifact these can either be fetched from standard
repositories but if you want to bundle all the dependencies ahead of time so
there’s no dependency on external internet access you can specify your
application does that by providing all of those dependencies at push time the
applications are started on specialized virtual machines called cells oh sorry
someone had asked about build packs earlier is that enough about build packs
for now would you do yeah so the build packs we have like nine supported
languages if you wanted to run something that’s not supported by one of the stock
build packs I had someone asked about running a statistical application under
our there are lots of build packs available that are open source so you
could go ahead and say build this application to provide a sistah chol
service on a webpage that’s backed by our and you can provide that build pack
what we do with the build packs is we make sure they’re always updated to the
latest release so if you need to get the latest version of Ruby or Java and it’s
a very simple maintenance application stuff just to restage that application
so it picks up the latest build dependencies without actually changing
the code that’s running anyhow the apps start on on cells if it
binds to a TCP port then then it’ll receive web traffic you don’t have to
have a web app you can’t have just worker apps that are there listening for
events like look watching a queue or getting files from s3 and doing video
processing and we’ll explain how federalists does that here at our next
break just to give a simple diagram you as a consumer hitting an application
that’s running on Cloud Foundry we will hit the router the router will determine
which of multiple virtual machines to send the request where your instance is
running and so multiple applications are distributable as instances across
multiple cells so take a look at the manifest MO and determine how much
memory and disk are is this application use using compared to the defaults of
half a 512 megabytes of RAM or a 1024 megabyte this quota and if you take a
look at that you see that we specified deployment manifest that’s quite a bit
less than that now when we launch this application the name that you have
running in your sandbox will still be CG lab but we can’t have multiple versions
of CG lab running at one URL within cloud gov so the random route true will
append a couple random words to the name of the application so that the routes
don’t conflict with each other as before to push this application iran CF push
dash F the path to the manifest that for app manifest animal the name of the
application and when that runs you should see that
it’s downloading a ruby build pack and when it completes when the push
completes you’ll have a URL that has some random words that you can follow to
see the new version a new application you have running if you interact with
the webpage you can see you can enter in a name and then be press submit and it
says hello to you the other step that we’ll do in this lab is to take a look
at the status of the the current application the command for that is CF
app and the name of the application CFC G lab in this case look for something
like how much memory and disk it’s using the output should resemble how many like
this how many instances are running and I didn’t highlight at the bottom but it
shows how much memory and disk are in use so we’re gonna pause here while you
until you get to the point of being able to run CF app CG lab and returns the
results for your application um if you already acted when you get to this point
and then what and waiting the rest of the catch-up of course you can take
these other steps I am going to pause here to take questions while people get
to this point and then we’ll continue forward with our
will I forgot to have you right after the break
so we’ll do you when we’re done with this slide I think we’ll we’re kind of
on the flow with the lab so how would if we do you in or one where I get to 1120
all right okay I’m gonna turn off the mic while I
take questions here around the rim and we’ll be back in about five minutes that came up here from some folks who
are ambitious and moving ahead is would I be able to connect an application to
an external database service since we don’t yet support Mongo as a standard
service absolutely you’d create what’s called a user provided service and you
tell the cloud gov application that should connect to these particular
connection URLs and then for demonstration testing purposes that
should work it’s something like that’s going to be a operational need for
something wanting to host with cloud gov and talk to us and we can revive our
experimental Mongo cluster and make an production ready Oh folks I seems like
people are moving fine with getting that application running so that is fine for
showing that you have a dynamic application that can take an input and
do something with it does it store anything anywhere no and any useful
service on the Internet it’s gonna have a data store so what’s
provision of Davis data store and use it in our application first and this is
where we start connecting our apps to the services that are available within
cloud gov we have a marketplace that you can browse and things can be within
there are either free or they’re available with the paid account you’ll
use the create service command to provision a service that’s associated
with your space that you’re working in and then you need to tell the
application the service to talk to each other with what’s called a binding and
use it and you’ll use that command and we’ll see that the application gets
information about what it’s connecting to the environment variables that are
set within the running application environment so the steps in this
is first to run the CF marketplace command to see what services we provide
at this point in cloud gov you’ll look for something that’s called Redis 32
which is version 3.2 of the Redis data store and you can get details about that
particular service with that command C after marketplace – asks in the name of
the service something ask yourself what’s the max memory available with the
micro sized plan just what we’ll use today and the output you’ll get from
this is that there’s a couple different Redis options and you’ll see with
marketplace – perhaps some of the details about the AJ the standard plan
and the micro plan at that point you can go ahead and create a service the format
of the create service command is create service the name of the service the plan
essentially the size is it micro standard among mega size and then give
it a name and that’s a human readable name that helps you associate what the
service is for in this case I’m calling it CG lab – Redis creating the service
will take about 40 seconds so after a minute when you run the CF service CG
Wow – Redis it’ll show the status of that command and you’ll want to look for
something that says that status create has succeeded the next section of the
lab section 5 3 is to associate the service and the application with the
bind service command your application needs to know that CG librettists exists
it can store data there so you’ve run CF vine service the name of the application
the name of the service if you’re curious how the application CG lab knows
about the service you can use the environment command CF to view those
environment variables if you check your work there the fine service
command should succeed and look at the environment variables you should see
something called vcap services and interest for rent as three – there’s a
lot of steps in this lab so keep moving forward at this point you can push the
new application of your version in a new version of your application it’s the
same as the other CF pushes we’ve done before only you’re pointing to a newer
version of the application something to ask yourself after you do that has the
URL change for this application or as it remain the same at that point you can
visit the app at the URL that’s echoed back at the random route hey take a look
at what it does and here’s the output you should expect from the push with the
URL at the end and showing that it’s running with a certain amount of memory
and disk made available to it and when you visit the webpage and refresh it
you’ll see something that looks like this saying how many times you’ve
responded to a particular request and then if as an optional exercise you can
go ahead and scale up the number of instances that are running this
application and then when you go to the web page you’ll see it you’re bouncing
between instance zero and instance 1 of the application and the data store is
keeping track of which instance has had a certain number of visits just to
review as we said before that’s because the router is seeing what instances are
associated with this running application and will route
traffic appropriately between them and you can go ahead and start flying
away at this lab and we’ll wait here if you haven’t already take advantage of
the further exploration steps and I’m going to take care of some questions
what people kept up to this point and we should be
about three maybe five minutes okay we’re still having a few people
that are working on this so we’ll take another couple of minutes to get caught
up and take it from there okay great at this point we have a web
application in the cloud that has persistent storage and that has scaled
across multiple instances and we did this with some stops and starts just in
the context of a morning this is not a production ready application it could go
to the slash env path on the application it spits out all of the environment
variables that are available to the application which is something you would
never do in a production app because it includes the connection URLs but it’s in
this app just so you can see what things are available there passed in as an
environment variable we’ll see other problems with it as we go on into
looking at logs and debugging I mean you as a engineer program manager
security person you need to know what your app is doing so you can debug it
and monitor it and in this lab we’ll take a look at the logs that come from
the application the events that Cloud Foundry has recorded about your
application and do some live debugging over SSH we don’t actually do the
restage maintenance step in this lab but as I mentioned before when there’s an
update to the underlying build pack for Ruby Java Python you give the restage
command to tell Cloud Foundry take that copy of the application you already have
in your binary store and rebuild it with the latest dependencies this is a sort
of thing that Equifax probably should have done too I should probably not say
that this is the sort of thing that is an important part of maintenance to make
sure that an entire framework upon which your applications built is regularly
updated in case there are bugs and security vulnerabilities to be closed up so you can view the current app of
activity of your app with the logs command you’re probably getting used to
this now you type C out some in the name of your application same
thing CF blog CG lab you start pressing refresh on your web page you’ll see a
bunch of logs streaming by and will keep streaming until you press ctrl C because
it doesn’t know when you want it to stop run that and take a look at where the
logs are front coming from did they say the name of the cell the router whether
they’re coming from an app or from some other component within Cloud Foundry and
you should get something that looks like that you’ll notice that when you refresh
you only get apps logs from the router and that’s because the application
itself wasn’t written to actually give any log information about how it’s
performing which is poor design but that’s expected because it’s something
that I have to gather based on some public code for this workshop as we
mentioned earlier though in the overview all of these logs are reviewing now are
automatically aggregated written to a elasticsearch cluster and made visible
in a log search service called Kabana which has some of the features of Splunk
but without the price so you can you view the logs for your app because we
split them out by organizations in space by going to log FR Cloud gov and the UI
has a lot of features in it but essentially if you just go to ya the
search box type eerr and press search then you can find any error messages
that have been emitted by your application at that point you’ll see
that there there are some results it just gives a one-line summary there’s a
little triangle next to it if you click that it expands everything about that
log message and you can look at what the actual message is and you can see then
if our app is giving an error what is that error
and does it actually matter and just a bit more of a view Aaron if we’re in the
search box search and then down at the bottom when you have a result underneath
the histogram it’ll expand that and you can see the information about the error in addition to logs generated by your
application in real time Cloud Foundry keeps track of what has happened to your
application with what are called events what you don’t want to see are crash
events that can be indicative of you allocating sixteen megabytes and your
application needs more than that it runs out of memory crashes proud found you
very kindly restarts it for you but it’s going to be in a messy experience for
your users so you don’t want that and check your
work you can see information about how many instances are running and when
things got started and so on by default your spaces that we provision for you in
cloud Gove’s Cloud Foundry have SSH secure session enabled to your
application instances if you run SSH and connect your application you’ll be
connected to a Linux container and you can see how many processes are running
you can connect up a debugger this is therefore not for production maintenance
purposes but for application debugging any changes he make will be wiped away
as next time your instance gets rotated which probably happens at least once a
week because we are continually doing maintenance on the underlying platform
so that the particular instance will go away even though your application is
still running you can to disconnect from your SSH
session you’ll need the exit command otherwise you’ll be wondering why your
commands aren’t working and that’s because you’re connected to a remote
computer not to the workstation you expect to be so when you have logs
events and SSH working you can try looking at some of these other avenues
for exploration and then we’ll move on to how to delete applications and
services to tidy up after ourselves and we’ll hear from we’ll about the
federalists experience on cloud gov so we’ll pause here for another few minutes
and catch up soon so it’s a good day you should just change so someone asked the Redis service that
we instantiate it can other apps you that same bredis and the answer is yes
if there stood up within the same space but every space is its own logical
domain so it went by default be able to talk to your doctrine version that was a not as many steps as the
prior labs everyone seems to be caught up people move on to managing unused
resources it’s at your cost effective and secure these resources are currently
being used and your sand and since they run in a sandbox we will start rotating
out sandbox services and applications after 30 days but to be tidy up your
workspace if you want to go ahead and delete your applications and services
now we’ll see how that’s done in fact if you do it then you can know how to start
everything up again it’s just a matter of CF create service CF push app find
the service push it again or restage it and you’re back running again so you
might just go ahead and delete all these things stand the back up again just for
your own satisfaction so but regardless on unused apps and resources cost
something to run and of course anything that’s not running does not present it
an attack service so we’ll clean up today with the delete command which
takes care of an app deletes services to get rid of Redis and then as we
mentioned earlier the router keeps track of the URL that should be mapped to a
particular application and we need to delete those routes
unfortunately there’s the delete orphaned routes that takes care of them
in bulk for us most of these delete commands will Ex
not do anything until you type Y or yes and press return
so if nothing’s happening it’s probably expecting the response from you to know
what you need to delete hurts me to list what’s running and you can list all your
running app CF apps and then go ahead and delete each one in my case it was
that would be delete see G lab and to the Peter Burkholder outfit I’ve done is
the first demo and you see there you get the listing of the apps
and of course really delete the app CG lab and yes I mean that likewise with services you can list them
with the CF services command and then delete each one with the CF delete
service command and it should only be one service running the Redis one you
can delete that and roughly the same output list the services and then
confirm the delete service and lastly you want to take a look at the routes
that you have enabled with CF routes the routes will all have may have a
application connected them or they may be orphaned if there’s no longer and
half connected to them you can delete routes one by one with the the read
routes command but the syntax is a little clumsy and generally it’s faster
in an in a sandbox or development advice environment just to delete all the
orphaned routes with the CF delete orphan routes command and you can see
here the output from the CF routes shows two routes for host Peter Burkholder app
drop club back at that cloud gov CG Lena lab random word but there’s no app
underneath the apps column there’s nothing there so those are orphaned
routes and they will get deleted with the CF or can browse command and at this
point these commands should show nothing running if you’ve done this correctly CF
apps CF Services CF routes and you have
completed the workshop and tidied up after yourself give yourself a round of
applause I’m proud of what you’ve done I’ll give you a minute to catch up and
then we’ll turn things over to will slack who will introduce federalists and
how cough has solved the problem that Federalist was trying
to solve meanwhile we’ll just leave the hooks catch up we’ll just list some
resources here that you can use to learn more about cloud gov I would start with
the docs page that our team maintains Britta Gustafson is an amazing
documentation writer and often find that our explanations are better than what’s
available in the community documentation the community documentation is more
comprehensive because it covers in detail every app every command and
option but the starting place for working with cloud gov is our own set of
Doc’s there’s a new book out from O’Reilly I know nothing about the
quality of it but it’s there so it should be up to date and appear little
also publishes some ebooks that are available for free download about how to
write applications for cloud gov what it means to be cloud native there are some
courses available the run from EDX is available free the training materials
from some of the cloud foundry summits are quite good in fact that bard can
come very liberally I’m putting together this workshop they are released under an
apache license I think that’s ok if it goes into it’s somewhat different
direction or some of the what others are trying to demonstrate and if you have
inquiries email us and I’m a fan of Twitter to follow at 18f at twitter i
don’t know when cloud backup will get to start tweeting but but I went ahead and
registered that user Nathan and Twitter so we can do so when we’re ready at this
point people should be caught up so we’ll want to come on up and introduce
federalists oh and then of course we’ll go into deep dive questions after this
case study I know I forgot earlier to have you come
okay I get the presentation when it’s turned on while he’s doing that
my name is well so I work to support the team just a minute people can’t hear you
give it muted okay hi people on the Internet
my name is Wil slack I maintain a stretcher for products and platforms
which supports the 5ff team as well as some other tools one of which is
Federals that leverages the cloud active team so I’m here to talk for just a
second about federalists advanced and back with this so Federalists is a tool that’s meant to
solve a problem talk about the problem talk about Federalist roots and then
talk about all the ways that it uses cloud of and what I think is kind of a
clever way to solve this problem for people and how vodka really makes
Federalists our life pretty easy I have a team of two part-time developers and
me and we’re able to provide a fully featured product because we’re just
leveraging things that Quantico provides so first what’s the problem let’s say
that I want to launch a static website Nick government that can be very hard it
can take time to procure I mean there’s all the issues for the for the Claddagh
gov platform Sol’s for you there’s issues with getting an ATO even if you
have a product of static signup you don’t have an ATO by itself you have to
know how to update and manage the material the people that are managing
your website the communication specialists they’re often not the folks
to know how to do CF bunch right those are different populations so how do you
help the people in your comm shops the people that manage your website content
to be able to do a better job on sites that’s hard right now a lot of agencies
solved this with Drupal and WordPress and quadriga
has ways they’re pretty cool of launching and hosting and managing those
but those takes you know a dedicated team sometimes to do all the
configuration if you want to do a really basic site or if you’re the equivalent
of like a all business inside the government like
your urine urea specific office or an agency you want to launch a campaign
page or something like that it might be a little bit more like a small business
with a server in the corner and it’s not really anyone’s dog to kind of manage
the server in the corner you don’t but if any of y’all probably don’t work in
these offices they’re just you know three or four program officials that
want to be able to manage web content how can we help them and not make them
have to log in deposit of themselves so federalists is intended to support the
government equivalent of that small business it’s meant to allow an
individual program office campaign micro agency to launch specific web pages or
websites using static static pages and the benefit of static for us is that
it’s a lot harder to interact with it so you can do this on five of the Federals
kind of takes care of a lot of the backend for that for you and it’s
managed by a small team thanks to the audit of path that’s what we do so by
managing all the way by adding based basically an extra layer on top of that
type of compliance and taking care of basically the full set of ATO needs we
make it really easy for someone who’s non-technical commander the content of
the website as long as they know enough to interact with github which is itself
a little bit of training less that we help with so this is our system diagram
and all of its beauty and I’m talking about how cloud helps and enables
federal resistant yeah so I’m gonna go over here and point for people on the
web you may not be able to see this but I’ll talk I’ll narrate my way through it
okay they can’t hear just the microphone okay well just point them so you can see
that all awesome oh good so when federalists wants to build that
aesthetic site github since a web hook into our first web application so this
is an app running on cloud backup with multiple instances so it never goes down
that web app triggers a build message through sqs which is managed not in
cloud that go to a builder application which then uses the codec of diego
container orchestration to spin up a new copy of one of like I think eight
containers we have ready these containers are ephemeral they basically
download the content off github they build out the site they then drop that
onto f3 and then they’re destroyed they’re immediately gone so there are
ephemeral containers just for building out the content of the site the benefit
of that being when someone says this content and we build it in a container
even if there’s something malicious and the code there it’s not going to mess up
everyone else’s site when that information is dropped into s3 that part
of the process is done we also make sure that the containers are good by running
a registry using another s3 service you can see the cloud gov up here means that
all this stuff is just cloud ugh of information and we don’t worry about any
of the underlying DevOps behind any of the systems we just have to make sure
that our right raw application code is good when I want to launch a new website
all I have to do is go into clog of this is me because my the people who are used
federalists never have to actually touch clog of itself and do CF create service
CD in route and then put in the information about where the CDN route is
drawing from krokov takes care of generating the HTTP and it gives me a
cloud front URL I have our customer C name from you know us EITI GUI gov to
the cloud front URL and then with HTTP and with a proxy that ensures some
mandatory headers are put in place the site is up in live
that means we can go from a site not existing to going all the way through a
compliance process and to have a live site in 36 hours which is really helpful
for you know last-minute political priorities which I’m sure we’ve never
heard of before and that’s all possible because cloud archive has all these
systems so my team just has to focus on making sure the code is up-to-date and
we’re able to deliver all these sites we have I think 84 sites that are now live
on federalists which require pretty all team to manage because cloud echo
makes it possible and I think this is a good example of how cloud egg up has
provided the platform kind of basic building blocks that you can build
services on top of it you know how do you want to use your s3
service how do you want to use your RDS services those can be helpful as
stand-alones for other parts of what you’re doing you don’t necessarily need
to put everything inside of boundary either does that accomplish everything I
think oh right and one more thing with the bug bounty so we had a we’ve done a
bug bounty within the TTS the technology transformation services cloud I got as
part of that bounty it’s on the site hacker one so when people find security
holes or flaws they come to us and we pay them people have not been able to
find any significant flaws in federalists and in fact in cloud backed
up as well like we’re finding that our platforms are being proven by the
marketplace to be pretty robust and this is one of my favorite quotes saying the
federalists team did a really good job of securing that application and when
they say that what they really mean is that cloud did a good job of securing
all the underlying stuff because there’s very little work that we at federal at
the federal level or doing besides you know making sure that someone can’t use
XSS or something like that and it was a really cool thing to see thanks will and I wanted will to share
the diagram not because I expected all of you to follow it in detail but to
demonstrate that cloud gov supports a flexible variety of architectures and
it’s you know it’s more than just running a single Python web page it can
serve a wide variety of workloads and we have built it to scale up to 20,000
requests per second we’re nowhere near I’m sorry
we’re capable now supporting 20,000 requests per second and we could scale
above that as yeah as we continue to grow so lots of room there when we do
these demos we always launch these basic web apps because it’s a chance to
demonstrate how much time savings Quantico provides but for big complex
sites you can absolutely have same kind of savings just less obvious
oh the pricing for Federalist Federalist is $25,000 per year for a limited number
of sites for your specific office team or program and you can email me at
Federalist – inquiries at gsa.gov for more information about that we are
reconsidering some aspects of the pricing right now and so I think if
you’re in a situation where that’s a strange one for you please let me know
but that’s the the price is 25k for an unlimited number of sites so for example
the office of government-wide policy at GSA has the federal identity management
and credentialing vicam team and they watch all their play books on Federalist
and you all may have seen some of those things and every time they want to do
that it’s just another little 36 hour process for a little work and a lot of
value delivered yeah so the country it’s all it’s all public nothing’s
confidential about the content we’re just basically taking this stuff on
github putting on s3 and then making doing the government compliance for it
to put it up along with a lot of cool preview functionality so every time you
do a branch and github federalists builds out a copy of that and puts it at
another URL so you can kind of be monitoring all the different you know
builds of your site as it’s going on it’s kind of applying DevOps and
continuous delivery to static sites other questions from one on cool thank
you James so allocated some time here so it can go
into any particular depth on on questions that or comments that you
might have James was there anything on questions that have come up on YouTube
live that seemed worth sharing on um not so there was a question from James
Perrin but it’s for Ruolin actually um we just took care of that you were so
focused in going through the back yeah besides nothing else okay gift overall the things that cloud
backup doesn’t do so that you can ask about them but there’s much of it
doesn’t give the question is what what doesn’t it do um I’m not sure I have a
good answer for that the the challenge that we’re working on now is trying to
determine how to structure arcane so it can provide the 24/7 support that that
some of our customers are wanting to see in the long term the you no need for
that has not been deeply apparent because we run in a platform that’s
largely self-healing with the Bosh director that that Cloud Foundry
provides but we do understand that there could be exigent circumstances when you
need to get a hold of someone at 2:00 a.m. because there seems to be a problem
with the platform if you didn’t catch it earlier in the so that’s the main thing
that cloud dokdo doesn’t do now that were we’re wrestling with most of the
other features that I had on the coming soon slide or the ones that were
addressing in terms of what we think people do need in order to say yeah
let’s go ahead and sign up and and start using you do anything that you’re
looking for that we don’t have a DSM credential so the question is
about agencies that use Azure an ATF outs
I may be answering the wrong question but agencies that have moved to using ad
FS have a almost transparent way of providing identity services to us
because we can connect friend to Asher’s identity provider that has been
configured for the agency so FEC is going that route and one yeah so those
users when they log in they’ll go and use the same credentials that they use
for office 365 and then they’re in and it’s good so for an internal app there
are the clearest route is to use the single sign-on
and it would and that would be an application developer responsibility to
interact with that identity provider but that’s the way it’s typically done if
you want another level of assurance on top of that we have all of our traffic
come from specified IP addresses so traffic in and out of the agency can say
is this coming from a particular IP address and if it’s not and it’s not our
application oh and what I meant to say is the other way as possible as well you
wanted to limit limit inbound from a particular set of IP ranges it would
take a little bit of engineering but it’s certainly feasible with what the
Cloud County architecture allows for medications better Yeah right yeah so
how do you move an application from sandbox to production in the simplest
form just say forget the space with what’s called the target commands they
say TIA çf target space production and then use
confirm that your pointing to the correct space then use the CF push
command what people will generally do is have that logic built into a script
that’s part of their continuous delivery so when something is pushed to master
and then that’s a single it can go ahead and
move that code into production or move it to staging see the de pass certain
tests and then move it to production so how smooth a migration to the cloud is
is simply it depends which isn’t very helpful the the key stumbling block is
whether the applications have been written to be what’s called stateful or
stateless a example is that we had the application that you were able to scale
and show that every time you reloaded it it uploaded it updated which instance
had you and visited if your application is written for that you are doing a
workflow like filling out a form and you go to the next page of the form and you
end up on the other copy of the instance and it doesn’t know anything about what
you were doing with the form then you have to make sure your application
follows what I what are called some of the 12th factor principles so that the
where and a user isn’t in in a multi-page form is stored like in the
Redis datastore which is really fast to update and query from or something else
that’s available between multiple instances then there are also
applications that may make heavy use of storing stuff in a local file system
which again is Thai only to one copy of that instance we’re addressing that to
some extent a by a initiative to provide users with a shared file system between
instances which can help bridge that gap and so
those are the two blockers use of the file system and whether the application
has been stateful or not and then third is whether it just uses some particular
technology that’s not available if it’s some particular back-end database that
is from the 1980s or something it depends what your legacy requirements
are James you have any thoughts on that that sounds about already
um yeah those were part of those limitations I can think of as well so I didn’t have another question from the
YouTube channel for a role oh so the question is about Federalists in terms
of its perilous for SBU or EK sensitive but unclassified data if the sensitive
and unclassified of data can be put in a full public view then yes but I don’t
think you would typically do that Federalist is not publishing behind any
kind of auth this stuff sitting on s3 is on a the s3 bucket is enabled for public
viewing if you don’t mean you can put on and we do you know put in a web crawler
blocker to that stuff so that you know people don’t know the specific URL they
can’t see it you could publish a private github repository so that that
information is invisible but um it will still be accessible if someone types in
the correct URL and press the center on their browser if you wanted to add some
kind of authentication you could do that using Federalist plus a con back of app
you know or another kind of app that says hey have you authenticated then
what’s the continent separately but at that point you kind of lost the benefit
of running everything through Federalists but you could do that is
Federalist open source so if I wanted to re-implement this in my internal c2c
cloud her yes issue so we have instructions on how to run it to it
Federalist – Doc’s 18f gov that’s Federalist – do see s Doc’s 18f gov also
I love talking about Federalist so people have questions or reactions or
feedback just like let me know because our goal is building a
so that ideally like y’all don’t have to deal with these communications offices
that want to watch new site like they don’t have to ship you HTML which you
have to load into a server somewhere instead they can just put it on a github
repo we publish it up and you’ll have to worry about the aspects of compliance
either yeah so you could I you have an ATO left just like the one that we had
at GSA for running all the different components of federalists and things
like that do you absolutely have that option and I would say go forth and
prosper with that the big thing that that you can’t do on your own without
cloud by gov somehow is to do that CDN route aspect of it you would need some
way of taking the content sitting on s3 and making it so that someone visits you
know your agency gov they see the stuff sitting on s3 you need a connection in
there kado gov is that connection piece for a federalist stuff once it’s on s3
you would still need something for that but it would be very easy you know if
you you could have a static site system right now where you take stuff off you
get hub repo run Jack will serve on your machine
put that on s3 have another proxy app that loads it you can approximate all
this stuff individually I just know that for an ORM er of sites that becomes a
lot of work Federalist is about abstracting all that away so that like
y’all the folks I’m talking to here don’t ever have to even worry about it
in the first place so I know there are 46 people on YouTube chat and so we’d
love to have more questions from the chat line in case you’re wondering
there’s about 20 people 22 dozen here in the in the room had a few people leave
because they couldn’t connect because the VPN issues and said they’ll catch us
at a future workshop I used to be a high school physics
teacher and I was one of these people who came pretty much straight from
college to teaching high school physics and they say okay great we’ll you know
send you to a one month course and how to be a teacher and the most important
piece of advice I got is that when you ask a question count to six because
often people are any questions great no we’ll move on but often takes me I’m so
confused I don’t even know how to formulate the question so any other
questions okay well thanks so much for your
participation and all the great help you’ve had in helping me figure out how
to run the next workshop we will be sending out a survey but of course
anything you want to say now about how to make this go better next time we’re
happy to hear it thank you

Leave a Reply

Your email address will not be published. Required fields are marked *