Cloud Native on Oracle Cloud Infrastructure Functions Events
- Slides: 37
Cloud Native on Oracle Cloud Infrastructure Functions & Events Andrea Marchesini Oracle Cloud Infrastructure Product Manager November, 2019 © 2019 Oracle
Safe harbor statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. 2 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Functions 3 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Serverless Compute – Functions-as-a-service (Faa. S) 4 Bare Metal Virtual machines Code App Container Language Runtime Operating System Hardware Code App Container Language Runtime Operating System Copyright © 2019, Oracle and/or its affiliates. All rights reserved. Containers Code App Container Functions Code Serverless is a category of cloud services that raises the abstraction level so that developers don't need to think about servers, VMs or other Iaa. S components
Oracle Functions-as-a. Service Oracle Cloud Integrated Container Native Open Source Engine Multi-tenant Secure 5 Copyright © 2019, Oracle and/or its affiliates. All rights reserved. http: //fnproject. io No Lock-in • Built on open-source Fn Project and Docker • Platform independent: laptop, server, cloud Autonomous • Platform auto-scales functions • No servers to provision, manage Pay Per Use Pay for execution, not for idle time
Functions Overview Push container to registry Direct Invoke (SDK/CLI/API) Configure function trigger Function Triggers Code runs only when triggered Pay for code execution time only Function Integrations Monitoring Identity Registry Logging OCI Events 6 Copyright © 2019, Oracle and/or its affiliates. All rights reserved. Network OCI Services
Function Development Kits (FDKs) Simply write a `handler` function that adheres to the FDK’s interface and the FDK will provide the input to your function, as well as deal with returning the proper output format. FDKs make it easy to write functions Example Java Function 7 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Functions Concepts - Applications In Oracle Functions, an application is: • a logical grouping of functions • a common context to store configuration variables that are available to all functions in the application When you define an application in Oracle Functions, you specify the subnets in which to run the functions in the application. Oracle Functions shows applications and their functions in the Console. 8 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Functions Concepts - Functions In Oracle Functions, functions are: • small but powerful blocks of code that generally do one simple thing • grouped into applications • stored as Docker images in a specified Docker registry • invoked in response to a CLI command or signed HTTP request When you deploy a function to Oracle Functions using the Fn Project CLI, the function is built as a Docker image and pushed to a specified Docker registry. 9 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Functions Concepts - Invocations In Oracle Functions, a function's code is run (or executed) when the function is called (or invoked). You can invoke a function that you've deployed to Oracle Functions from: • The Fn Project CLI. • The Oracle Cloud Infrastructure SDKs. • Signed HTTP requests to the function's invoke endpoint. Every function has an invoke endpoint. • Other Oracle Cloud services (for example, triggered by an event in the Events service) or from external services. When a function is invoked for the first time, Oracle Functions pulls the function's Docker image from the specified Docker registry, runs it as a Docker container, and executes the function. If there are subsequent requests to the same function, Oracle Functions directs those requests to the same container. After a period being idle, the Docker container is removed. 10 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Oracle Functions Concepts - Triggers A trigger is the result of an action elsewhere in the system, that sends a request to invoke a function in Oracle Functions. For example, an event in the Events service might cause a trigger to send a request to Oracle Functions to invoke a function. Alternatively, a trigger might send regular requests to invoke a function on a defined, time-based schedule. A function might not be associated with any triggers, or it can be associated with one or multiple triggers. 11 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
IAM Policies required to work with Oracle Functions Select the tenancy's root compartment, and create a new policy with the following two policy statements for the Oracle Functions service: Allow service Faa. S to read repos in tenancy Allow service Faa. S to use virtual-network-family in compartment <compartment-name> If one or more Oracle Functions users is not a tenancy administrator, add the following policy statements to the new policy: Allow group <group-name> to manage repos in tenancy Allow group <group-name> to use virtual-network-family in compartment <compartment-name> Allow group <group-name> to manage functions-family in compartment <compartment-name> Allow group <group-name> to read metrics in compartment <compartment -name> 12 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
How Oracle Functions works? Deploying a Function 13 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
How Oracle Functions works? Invoking a Function 14 Copyright © 2019, Oracle and/or its affiliates.
Functions Metrics • Function. Execution. Duration: Total function execution duration in milliseconds • Function. Invocation. Count: Total number of function invocations • Function. Response. Count: Total number of function responses • Errors: The number of times a function failed • Throttles: The number of requests to invoke a function that returned a '429 Too Many Requests' error in the response 15 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
Events 16 Copyright © 2019, Oracle and/or its affiliates. All rights reserved.
OCI Events Service - Overview • OCI Events service is a fully managed event-routing platform that simplifies the creation of event-driven cloud-native applications and serverless workflows. • OCI Events service provides a platform where customers can subscribe to changes in their resources and automatically react to them in near real time using Fn, trigger notifications, or write to stream for later analysis. • Open Source - the Events service implements the Cloud Native Computing Foundation’s (CNCF) cloudevents open source standard. Cloud. Events describes event data in a common, consistent, and accessible way across cloud native applications. 17
Key Features OCI Events service provides a robust Event-Routing Platform with some key features • Integration with Oracle Functions, Oracle Streaming Service, and Oracle Notification Service, which provides you with a powerful reactive programming model for staying informed about your cloud environment. • Support for diverse suite of out-the-box event types - supports all API call events from all your OCI resources (Create, Update, Delete via Audit), as well as scenario-specific events from Object Storage and Autonomous Database (such as Database Backup Complete). • Integrated with Identity and Access Management and Monitoring services • Accessibility through REST APIs, OCI console, SDKs, CLI, Terraform 18
Concepts There are three core concepts in OCI Events service: • Events - A structured and schematized message that denotes a change in a resource. • Rule - The object where a user defines which events they care about, and trigger an action if it occurs. A first-class OCI object created per compartment. • Actions - The user-defined response to when an event occurs. For example, triggering a function, or writing to a stream. Events Service integrates with OCI Services at the platform-level to deliver resource change events. 19
Concepts - What are Events? An event is a structured, lightweight, actionable message that denotes a change in a resource. Unlike raw generic log entries, events have derived context and structure, and are guaranteed to be actionable. An event can be: • User initiated CRUD operation - "Bucket Updated", "Bucket Deleted" • Resource life cycle state change - "Instance Stopped", "Backup starting" • System event - "Instance Rebooted - Hardware Failure" (Via PULSE) Each event describes: • The source (i. e service responsible) • Time stamp • event. Type (i. e Backup Complete) • a detailed service-specific inner payload to describe the change and resource in more details (including the tags associated with the resource). 20
Concepts - How does an Event look like? Events follow CNCF format and has the following schema: { "event. Type": "string", #Example: ADW. instance. backup. complete "event. Type. Version": "string", "cloud. Events. Version": "string", "source": "URI/string", #Example /service/dbaas/resource. Type/ADW/ "event. ID": "string", "event. Time": "timestamp", #Time the event occured "content. Type": "string", #application/json "extensions": { "compartment. Id": "string" #extension to show compartment ID }, "data": "JSON object" #Inner payload with service specific details. } 21
Events Concepts – Rules • • • To interact with the OCI Events service, users create and manage "Rules". Rules are objects that allow customers to select which event types to monitor, and automatically trigger actions when those events occur. To be able to create rules in a given compartment, users will need the INSPECT compartment permission. All rules are validated for IAM permissions. A rule is simple; to create one, the user specifies: • Name & Compartment - A name, and the compartment where you want the rule to be created. • Trigger Condition - The event types you care about, as well as any other property filters. A user can subscribe to ALL events in their compartment. Example: "Event Type = Delete bucket" and "Tags = Prod_Dont_Delete" • Response Action - The automated action to be executed once the condition above is met. You can have multiple actions per rule. Example: "Notify DRI (ONS)" and "Trigger my backup scripts (Fn)" 22
Design Considerations - Rules • Rules are compartment based, and will support nested compartments. If a customer wants to set up a tenancy-wide rule, they can create one in the root compartment. • To be able to create a rule in a given compartment, customers will need the compartment INSPECT permission. All rules, and actions are validated for proper IAM permissions. Customers will also need the 'manage cloudevents' permissions to be able to CRUD rules. • Before using the service, customers will need to set a policy to allow events service to deliver events to action resources. • When events are generated, they also include the tags of the resource that fired the event. Customers will be able to create rule filters that match their resource tags. Rules resource themselves will also support tags. • The max amount of rules a user can create in their tenancy is 50. (This can be increased) 23
Events Concepts – Actions • Actions are the user defined response to a rule being matched. • A user can specify multiple actions per rule. • The service guarantees at least one delivery attempt for all actions. • Supported actions include: • Trigger Function (Fn) • Publish notification (ONS) • Output to Stream (OSS) 24
IAM policies required to work with Events #1 Policies for the Events service so that it can deliver event messages to action resources, which can be any combination of topics, streams, or functions • • • give the Events service the ability to deliver events messages to a topic allow service cloud. Events to use ons-topic in tenancy policy for Events to deliver event messages to functions Policies for users so that they can create and manage rules • allow group <Rule. Admins> to inspect compartments in tenancy • give users manage access to rules for Events • give users access to Streaming resources for actions (if required) allow service cloud. Events to use functions-family in tenancy policy for Events to deliver event messages to streams allow service cloud. Events to use stream-push in tenancy allow service cloud. Events to read streams in tenancy give users inspect access to resources in compartments to select actions • • allow group <Rule. Admins> to manage cloudevents-rules in tenanc allow group <Rule. Admins> to inspect streams in tenancy allow group <Rule. Admins> to use stream-push in tenancy allow group <Rule. Admins> to use stream-pull in tenancy give users access to Functions resources for actions (if required) allow group <Rule. Admins> to use virtual-network-family in tenanc allow group <Rule. Admins> to manage function-family in tenancy give users access to Notifications topics for actions (if required) allow group <Rule. Admins> to use ons-topic in tenancy 25
Events Service Metrics supported for: • Events received from all resources • Events matched by a rule • Successful deliveries by a rule • Failed deliveries by a rule 26
Service Guarantees OCI Events Service offers the following guarantees: • If an event is ingested, it guarantees that it will be evaluated at least once against user rules. • If a rule is matched, it guarantees at least one delivery attempt for all actions. • Events are NOT guaranteed to be processed or received in order. • If an action target is not responsive, the service will retry delivery for up to 5 hours or until a non-retryable error occurs. Otherwise a failure metric will be emitted, and no further retries will occur. 27
Configuring Events Service Rules in OCI Console Step 1: Select Service and Event Type Step 2: Set a filter Step 3: Select an action 1 2 3 28
Functions & Events Use Cases © 2019 Oracle
Event-Driven Design Patterns - Common Use Cases 30 Event-driven applications Web, Mobile, Io. T Backends Real-time File, Stream Processing Dev. Ops, Batch Processing Glue Cloud Services, Eventdriven Security Operations IT Operations Multi-Cloud
Use Functions to Glue Cloud Services Cloud Applications (Saa. S) ERP HCM Cloud Platform (Paa. S) Supply Chain Mobile Data Mgmt Custom Apps Integration Business Insight Collaboration Functions Data Analytics CX Network Compute Storage Audit Cloud Infrastructure (Iaa. S) Events
Infrastructure Event Driven Architectures ORACLE CLOUD Network Compute ATP/ADW Storage ATP = Autonomous Transaction Processing Warehouse ATP Events Functions Trigger functions Functions can use DB, Storage, and other services ADW = Autonomous Data Storage
Automate Corporate Security Actions ORACLE CLOUD Events Compute Provision Instance Request Instance Provisioning Complete Trigger functions Functions Compute Functions check if the instance complies with security policies. If not, kill the instance & send a new provision instance request
Network Security Analysis ORACLE CLOUD Network Storage Events Network Access Log Files in Object Store Trigger functions Functions Splunk Functions read the network access logs and send them to customer’s Splunk for security analysis
Automate Database Environment Setup Functions ATP Email Delivery ATP Provision ATP Instance Request Create. Instance End Event ATP Instance Provisioning Complete Events HTTPS (custom URL) Notifications Trigger functions Slack Subscription • • 36 Copyright © 2019, Oracle and/or its affiliates. All rights reserved. Functions runs scripts to create schemas, tables and import golden data. Notifications triggers email and Pager. Duty alerts.
Demo: Integrating an OCI Service event with Oracle Functions OCI Events Compute Provision or Terminate Instance Request 37 Instance Provisioning or Termination Complete Copyright © 2019, Oracle and/or its affiliates. All rights reserved. Events invoke Actions Functions Storage Create a new Object Store Bucket on provisioning and delete it on instance termination
Oracle Cloud always free tier: oracle. com/cloud/free/ OCI training and certification: oracle. com/cloud/iaas/training/register-for-training. html oracle. com/cloud/iaas/training/certification. html OCI hands-on labs: ocitraining. qloudable. com/provider/oracle Oracle learning library videos on You. Tube: youtube. com/user/Oracle. Learning Copyright © 2019, Oracle and/or its affiliates. All rights reserved.