Platform Engineering

A platform is a foundational collection of services (computational or otherwise) that allow a user to accomplish a task. It can be a foundation for another layer of services that in term support their own users and use cases.

The term ‘platform engineering’ can refer to a few related things:

• development of a software platform in general

• a way of working and team organisation that has derived from DevOps practices

• an activity at ICHEC related to platform development

The platform engineering activity at ICHEC tries to adopt ideas from the ‘platform engineering’ way of working while building out our data and compute platforms. This section covers relavent techniques and tools for the development of software platforms.

• internal development platforms (IDP)

• self-service support

• devops scaling and integration

• monitoring and observability

• container oriented workflows

• container orchestration

• security management

Configuration Management

Configuration management systems are used to manage groups of servers. Ansible is a simple and popular configuration management system. It has three primary elements:

• Inventory: List of servers under management

• Roles

• Playbooks: Structured collection of roles and other config for managing a system

For practicing with Ansible you can set up a couple of VMs wih SSH access to act as servers, see the Virtual Machines section of the handbook for details on doing this.

You can install ansible with:

pip install ansible

or with brew. Then you can make an inventory with the machine(s):

mkdir ansible-practice
cd ansible-practice
nano inventory

and add:

[servers]
server1 ansible_host=127.0.0.1 ansible_port=2222

where here we have a virtual machine with SSH port forwarded to port 2222 on the host. For a real server the host address is likely enough.

You can ‘echo’ the inventory with:

ansible-inventory --list -y -i inventory

Next we can check if the machine is reachable by Ansible over SSH. For this simple case we will just use password auth, which requires an extra package:

brew install sshpass

Now you can check if the machine is reachable by ansible with:

ansible all -m ping --ask-pass

The latter command will ask for an ssh password. You would have a suitable ansible user and SSH cert already on the machine in a production-focused setup.

Further Reading

• https://www.digitalocean.com/community/tutorials/creating-and-running-your-first-ansible-playbook

• https://www.digitalocean.com/community/cheatsheets/how-to-use-ansible-cheat-sheet-guide

• https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ansible-on-ubuntu-22-04

Security

It is important to have a minimal expose interface of your services to the public internet. Only services that need to be exposed should be, and ideally through a suitable gateway.

VPNs

When managing non-public facing services a Virtual Private Network (VPN) is useful for access. Wireguard is widely used free software for setting up and accessing a VPN. Some Wireguard resources are below:

• Setting up Wireguard on Ubuntu

• Adding clients with a QR code

User Management

Identity Management

• Keycloak

LDAP

Software

• PWM Self-service password manager via LDAP

Cloud

• OpenStack Open source cloud software

IAAS

• Terraform Infrastructure automation on cloud systems

Containers

Kubernetes

• Minikube Local kubernetes cluster for testing and practice

• Helm Kubernetes package manager

GitOps

Software

• Flux