Feature: Provide tWAS VM Images Azure Marketplace offerings

[git4rk]

Goal

Provide tWAS VM Images Azure Marketplace offering for customers to create a customized tWAS Cluster/Single Server env on their own.

User experience

• Customer searches for the VM Image offer in Azure Marketplace/Portal
• Customer launches the offer and fills in the details to instantiate the VM
  • Customer specifies VM size, user name, ssh key, disk size, network, etc. (standard set of options for all VM image offering)
  • Only one VM can be created at a time
• Once VM instance is created customer uses their scripts to setup and configure tWAS env.

Deliverables

• VM Image offering on Azure Marketplace for tWAS Base 9.0.5, tWAS ND 9.0.5. and IHS 9.0.5
  • Each of these will be a separate offering

Requirement/Design

VM Images

• Build three VM Images (tWAS Base, tWAS ND, IHS: 9.0.5.x)
• All images
  • will be based on RHEL 9.x (with latest fixes)
  • will have ILMT (IBM License Metric Tool) agent (BigFix client) installed (which customers can configure later)
    • IHS VM image does not need ILMT agent installed
  • will contain IM and one of the product (tWAS ND, tWAS Base, IHS)
  • will contain virtualimage.properties which will have products installed and their location on the VM
  • OS and WAS/IHS binaries should have latest fixes applied
• Build Images using GH Actions (same as it is done for tWAS Solutions offerings)
• Apply CIS rules using openSCAP. Capture the before and after report from this tool and add it to the CI/CD output.
  • Delete the tool from the VM before creating the image.

Marketplace offerings

• Provide three Marketplace offerings: one for each VM image
• All image offerings will have direct link to IBM License terms (reference Azure doc)
  
  • Base: https://ibm.biz/tWASBaseLicenseAzureVMs
  • ND: https://ibm.biz/tWASNDLicenseAzureVMs
  • IHS: https://ibm.biz/tWASIHSLicenseAzureVMs
• Note: Customer’s entitlement can not be verified since the UI does not provide option to collect IBMid credentials.
  • It is customer’s responsibility to ensure they are entitled.
  • Customer can configure ILMT agent and/or install iFixes after VM instance is created.
  • No need to change or do anything different on VM to switch from evaluation to entitled.
  • If customer has configured ILMT agent, they can update the entry as evaluation/entitled.

Test

• Test images by deploying it, configuring WAS, installing a sample application and accessing admin console + application
• Function test using UI and CLI
• System test

Image and offering updates

• Weekly (or even more frequently) and on-demand
• Image build and publish process must be automated to handle frequent updates
• Identify ways to get notified of vulnerabilities in RHEL 9.x and tWAS/IHS, etc. so that we can update the image asap.

Documentation

• Marketplace Landing page (Intro, Arch diagram, …)
  • Highlight the CIS compatibility
• Recommendation for customers (after VM is instantiated): Update OS and apply latest tWAS/IHS fixes

GTM

• Marketing materials: Blogs, how to docs

Additional tasks (should be handled separate from this feature)

• Use same images for tWAS Cluster and Base Solution offerings
• Automating the publishing of these Solutions (or decouple image and Solution)
  • If solution update can not be automated then update the solution quarterly after new fixpack release (like its done today)

[git4rk]

@edburns Please review the requirement and design for this feature request and provide sizing for these items so that we can plan the release (feel free to edit the list):

• (Dev/Test) Image build
• CI/CD + Integration test
• Automate offer publishing
• Doc

[majguo]

One question:

• In section VM Images, CIS compliant RHEL 8.x is required for VM image. I tried to create a VM using CIS compliant RHEL 8.x and it will have additional charge for CIS Red Hat Enterprise Linux 8 Benchmark L1 by Center For Internet Security, Inc. (see screenshot below as an example), as CIS compliant RHEL 8.x is a Marketplace image. Is it OK?

  

[git4rk]

@majguo @edburns Sorry, it took some time to finalize on this and it will undo some of the work that you have done. We have concluded that instead of using CIS image, we will use non-CIS VM and apply CIS rules to that VM.

• The cost of CIS images might deter customers from using the VM Image offering. Here is the cost comparison for few VM types

• Offering separate CIS and non-CIS Images will increase our dev and maintenance cost.
• I investigated other options to use the non-CIS image and apply CIS rules to them. I found an open source tool from Red Hat, called openSCAP, which evaluates and remediates the CIS rules.
• The tool reported 85% compatibility for CIS image from CIS Inc.

• The tool reported 65% compatibility for RHEL 9.x image

• After running the tool with remediation, the compatibility went up to 92%
  oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_cis_workstation_l1 --fetch-remote-resources --results scan_results.xml --report scan_report.html /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

• The tool is available under LGPL 2.1 license and ok for us to use to build the image.
• I have updated the issue detail based on this investigation.

[edburns]

Discussed this with @majguo last night. This looks solid and perfectly implementable.

[edburns]

@git4rk I judge this can be closed.