Hussein Badakhchani’s Blog November 1, 2006 1:37 AM
Those of you who read my blog would be aware that around late November of last year I decided our existing build process had to go. You can read my original rant here. Well I am please to report that after much discussion we bit the bullet a decided to scrap our build process and embark on creating a new process that we hoped would meet the increasing demands being made on the infrastructure team to build and deploy the numerous WLS domains that we manage. We have been using the new build process (which we call choom) for almost a year. In that time the demands to create new environments and support new versions of WebLogic, Apache and other middleware applications have only increased while our team has dropped in size from six to two people. If you are considering different approaches to building and deploying WLS domains I hope you find this and the next few entries useful. If you think these ideas are rubbish I want to know why?
To start with lets define some of the key requirments for our build process. The build process must:
- Create a complete WLS domain and scripts to distribute and install the domain onto multiple machines.
- Be fast. It should take no longer than a few minutes to build, distribute and install a WLS domain. This a key measure of the performance of a build process. The vast majority of WLS domains I have seen can be built and distrbuted in under a miniute on a desktop pc.
- Enforce architectural and design decisions and verify the configuration by checking the completed domain before it is distributed.
- Be simple to use. Anyone with basic unix skills should be able to build and deploy a domain after a 5 minute tutorial.
- Be able to build Apache, WebLogic and any other application maintained by the support team.
- Be simple to maintain. The build process should not require a team to support it. The process of adding new environments or applications must require no special skills.
With these requirements in place we invited BEA to help us evaluate different build approaches. The debates were always heated as everyone involved knew we had to get this right or we would end up in a mess. To outsiders it may well have seemed that the team was about to crack but in my experience civil and plesant technical discussion is often a sign that participants don’t know what they are talking about or don’t care. We whittled down the contenders to a) using WLST to dynamically create the domain and b) Create template domains and use ANT to “copy filter” the templates. We opted for ANT option for many reasons but the deciding reason was simple, WLST can only build WLS, the ANT option gave us a consistant method for building any application we wanted.
The next step was to create a template domain and define the properties. The customer had two sites, a live site and a contingency site. These sites were home to the production environment, a domain that spanned two machines. We would supply arguments to the build script which would determine which property files were loaded and used to create the domain. We had to group related properties together in their own files and we came up with the following files:
- common.properties – Used by all builds prefix=Common.
- mydomain.properties – Domain specific prefix=Domain
- production-live.properties – Production environment and live site prefix=Environment.
- production-cont.properties – Production environment and contingency site prefix=Environment.
- machine-live1.properties – Machine 1 in the live site prefix=Machine.
- machine-live2.properties – Machine 2 in the live site prefix=Machine.
- machine-cont1.properties – Machine 1 in the contingency site prefix=Machine.
- machine-cont2.properties – Machine 2 in the contingency site prefix=Machine.
To build the domain one would execute the following command:
ant -Dproduct=weblogic92 -Dsite=live -Ddomain=mydomain -Denv=production
The build loads the correct set of properties based on these arguments. This is a pretty standard approach familiar to anyone that uses ant, it looks like this:
<property name="properties.dir" location="${basedir}/properties"/>
<property file="${properties.dir}/common.properties"/>
<property file="${properties.dir}/domains/${domain}/${domain}.properties"/>
<property
file="${properties.dir}/domains/${domain}/environments/${env}/${product}/${env}-${site}.properties"/>
I’ll explain the directory structure in my next entry, to round off this entry I want to explain one of the problems with this standard ant approach and how we resolved it. If you have ever had to locate a property to change it’s value you have probably had a few hours of your life wasted by having to locate that property because it is defined in multiple files and ant can be configured to inherit properties. Our old build process didn’t have a consistant hierarchy which compounded the problem. It could take days to make a change to a single property! We were burned so badly by this that we decided there would be no inheritance of property files in Choom and that every property name would conform to a nomenclature that would indicate where that property was located in the build file system. For instance, if you were looking at a template of the config.xml you would see something like this:
<ssl>
<name>@Domain.admin.Server.Name@</name>
<enabled>@Environment.admin.Server.SSL.Enabled@</enabled>
Any property prefixed with Domain corresponds to the domain level properties defined in mydomain.properties. If it’s prefixed with Environment you know it has to be in the production-${site}.property file for that site. Now we can locate and change the value of any property in seconds. For me this is a key metric to use in determining the performance of your build process. If you find it takes longer than a couple of minutes to make a simple configuration change in your build, alarm bells should start ringing.
In my next entry I will discuss the directory structure of choom and the templates. We gave alot of thought to the directiry structure of the build process. We wanted it to be intuative, consistant and to reflect how we perceivethe architecture our domains.
#1 by admin on November 28, 2009 - 11:22 am
I love it!
Posted by: simonvc on November 2, 2006 at 2:03 AM
#2 by admin on November 28, 2009 - 11:22 am
Do you use the Weblogic Admin Port? If yes (or you have other SSL requirements for the servers in your WL Domains) can you explain how you overcame the problem of distributing (self signed) certificates on the machines and adding them to remote trust stores? Assuming you don’t rely on the Demo certficates, of course!
Posted by: tallsandwich on November 2, 2006 at 8:39 AM
#3 by admin on November 28, 2009 - 11:23 am
Tallsandwich, great question. Infact I just added a draft blog with a the title “Keystore administration” so as to make sure I don’t forget to blog on this subject. It deserves an entry in it’s own right but I’ll try and give you a picture of how we manage our keystores here.
I have not defined an Admin Port for our clusters yet, (something I keep delaying due to time constraints) but we do configure SSL ports on all our servers. Every WLS server in our domain is configured with custom identity and trust key stores. Every server has it’s own identity keystore named after its CN which is its Listen address e.g: wls01-prod.myhost.co.uk, so the keystore is called wls01-prod.myhost.co.uk.jks. This allows us to reuse these keysores for different domains that are deployed on the same machines (the servers have the same listen address but listen on different ports). This reduces the administrative burden of maintaining and updating the certificates as we require less of them. When the domain is built the build process simply loads the properties which define the keystore names and copies them into the domain keystores directory. Again, this means once you have created the keystores for a particular machine you don’t have to repeat the process for other domains that reside on the machine. The trust store is the same for all the servers in a domain. Infact all our test servers have the same trust store with our root test CA in it.
Our test self signed certificates were created using an improved version of this which we hooked into the build process. The procedure is as follows:
1. Agree host names (CNs) with the network/project team.
2. Create the properties file for the domain.
3. Run choom.
4. If the domain reqires certificates Choom generates the CSRs, signs the certificates and uses keytool to create the keystores as per our specification above.
5. Distribute the domain
6. Install the domain.
7. Run Cheef to verify the integrity of the environment.
8. Start up the domain
Choom also uses some nifty Jython scripts to validate the keystores and alerts us if the certificates are near their expiry dates.
Posted by: hoos on November 2, 2006 at 10:13 AM
#4 by admin on November 28, 2009 - 11:23 am
We have similar requirements. However, in our experience the ant copy task is not sufficient.
For example, say you want to specify 1, 2 or 3 machines, depending on environment. Without a looping construct, this will be quite hard.
In addition, wlst has several very useful commands that cannot easily be replicated using ant – e.g. nmEnroll.
I’d recommend a combination of wlst plus a generic templating tool (e.g. FreeMarker) for generating configuration files. And then use ant to coordinate and orchestrate everything.
Posted by: nuh@pfa.dk on November 3, 2006 at 12:02 AM
#5 by admin on November 28, 2009 - 11:23 am
nuh, we have overcome these problems without having to use wlst, let me explain. Your right about requiring a looping mechanism when your domain has multiple machines. We have four machines in our largest domain. Our conultant from BEA shook his head and said it could not be done with Ant but the next day I had plumbed in the foreach task. This works well for us. The task is driven by looping over the machine property files and resets the values of properties.
With respect to nmEnroll, this is a one time operation you carry out on the machine. Once we have enrolled the domain we plumb in the updated properties into the build.
Our old build process used FreeMarker. It meant that everytime someone new worked on the build they had to learn that as well as another four other “useful” tools. Adding new tools to the build is a risky business and can break one of our requirements which is ease of maintenance. We agreed that all we needed was Ant and Jython. The core build framework needs nothing more than ANT (with the contrib tasks), Jython is used to generate passwords, check keystores and validate the build. Any WLS administrator worth a bean knows Ant and Jython.
Posted by: hoos on November 3, 2006 at 2:04 AM
#6 by admin on November 28, 2009 - 11:24 am
As someone who has also bee quite intimately involved in this build process, I can say that the foreach construct has not been an unmitigated success. It can be a problem at sites you must use packages approved by the engineering group (as with my current job). Also, it must also be said that the foreach functionality is very clunky to use. I really do long for the day where Ant allows control flows out of the box.
In terms of the success of this build process, I still feel the jury is out. It does clean up what was a considerable mess that we were previously dealing with, but I’m afraid that without the initial creators around to maintain it, the builds will slowly degrade to the point we were previously at. I won’t go on, as I’ve “politely” discussed this with hoos on several occasions. To paraphrase Churchil perhaps its the worst approach except for any other approach that’s been tried.
Trevor
Posted by: t_g_nielsen on November 9, 2006 at 3:25 AM
#7 by admin on November 28, 2009 - 11:24 am
While I agree the foreach construct is a bit clunky it works and it is only used in one place, thats to iterate over machine definitions. I think the benefits it provides out weight the drawbacks.
In answer to your second point I disagree. It was part of our requirements to make sure the build process was easy to maintain and I believe we have achieved that aim. We managed this by creating two roles, the build process user and build process maintainer. The users only ever deal with running the build and copying/altering existing properties and templates. The build maintainers are responsible for adding new products to the build, not a very frequent activity and one that can be achieved after a week with some help from more experienced maintainers. We now have two new build maintainers (leaving me as the last of the orginal creators) and Choom is in better condition than before (we cleaned up those miserable temporary directories you created
.
Posted by: hoos on November 13, 2006 at 7:10 AM
#8 by admin on November 28, 2009 - 11:24 am
That temporary directory was very important at the time. Mainly due to the clunky foreach
I still think its a bad way to do things, but the construct persists because I can’t find an easier way. I will put some serious thought into this when I get the chance. I need to do a construct to run through a secure pacakging process that we use on my current contract.
Still not convinced on the maintenance aspects. I am quite concerned about leaving the build process as a legacy on the current contract. I believe that your workplace benefits from a long track record of using a structured build process, while at mine people are still far too fond of using config.sh . I think it might be better if we hire a couple of grads who only know Ant and XML to do the maintenance into the future. Any experience using config.sh automatically disqualifies candidates. Will have to talk to Simon about his CV parser
Posted by: t_g_nielsen on November 13, 2006 at 7:34 AM
#9 by admin on November 28, 2009 - 11:24 am
Choom also uses some nifty Jython scripts to validate the keystores and alerts us if the certificates are near their expiry dates.
I am trying to write few scripts that exactly do this. Do you mind sharing these..
.
Thank you,
-satya
Posted by: sghattu on January 3, 2007 at 4:37 PM
#10 by admin on November 28, 2009 - 11:25 am
Satya, check out Simon VC’s code samples. He has included a bunch of jython scripts used by Choom. These are a little old now but they should point you in the right direction. The script you want is called check_all_certificates.py. If you make any improvements chuck them over to me!
Posted by: hoos on January 3, 2007 at 11:19 PM