When IT consultancy OpenCredo set out to launch three new applications within seven months for a major insurance underwriter, it had three goals in mind: Trim development time from the usual years-long pace, allow for frequent changes from the client, and build a system that can handle unpredictable traffic spikes.
By using the Cloud Foundry open-source framework along with other open-source software, OpenCredo eliminated "heavy lifting" such as configuring virtual machines and adjusting the size of storage volumes, says CEO Russell Miles. The framework allowed developers to write code locally, share it with the client, and automate the integration, testing, and deployment of application components.
[ In the data center today, the action is in the private cloud. InfoWorld's experts take you through what you need to know to do it right in our "Private Cloud Deep Dive" PDF special report. | Also check out our "Cloud Security Deep Dive," our "Cloud Storage Deep Dive," and our "Cloud Services Deep Dive." ]
Among other advantages, Cloud Foundry makes it easier to scale an application by adding more instances without downtime, Miles says. Because of the way it works with other open-source software, new features can be added in minutes rather than hours.
Even with all those benefits, open-source cloud frameworks like Cloud Foundry are a work in progress. Many manage only physical servers or stand-alone applications, leading customers who need more sophisticated capabilities to create their own frameworks. However, they offer compelling value because they mask the complexity of cloud computing setups, and the open-source model is an attractive way to do that.
Understanding the basics
The term "framework" is used to loosely describe collections of anything from development tools to middleware to database services that ease the creation, deployment and management of cloud applications. Those that work at the level of servers, storage and networks are infrastructure-as-a-service (IaaS) frameworks. Those that operate at the higher level of applications are platform-as-a-service (PaaS) frameworks.
Among the most popular IaaS frameworks are OpenStack, Eucalyptus, and the Ubuntu Cloud infrastructure. Citrix recently announced it was making its formerly proprietary CloudStack IaaS platform part of the open-source Apache project. Gartner analyst Lydia Leong wrote in her blog that this is "big news" because CloudStack is much more stable and production-ready than the "unstable" and "buggy" OpenStack.
Popular PaaS frameworks include Heroku, Cloud Foundry (backed by VMware), and Red Hat's OpenShift, which is built on a foundation of Red Hat Enterprise Linux with support for a variety of languages and middleware through the use of "cartridges."
Customers often use multiple frameworks and associated tools. One example is the use of OpenStack to provision virtual machines, and Opscode Chef to create "recipes" describing how servers should be configured, says Opscode co-founder Jesse Robbins. The further up the "stack" a platform operates, the less work the customer must do, but they also have less control over the infrastructure components, says Matt Conway, CTO at online backup vendor Backupify.
Beyond easing cloud creation, most frameworks claim to make it easier to move cloud deployments among public and private clouds to get the lowest cost and best service. For example, Eucalyptus is meant to provide an Amazon EC2-compatible API that runs on top of Ubuntu Linux (the version of Linux underpinning the Ubuntu Cloud), "so apps authored for EC2 should be transplantable to one's own data center running Eucalyptus," says Conway. "Deltacloud was an initiative by Red Hat to create a 'cloud API' to abstract your application away from vendors like Amazon, and it would proxy your requests to the actual Amazon API."
For online storage vendor CX, OpenStack provides the flexibility to use other cloud vendors besides Amazon "if [Amazon's] services become too expensive or otherwise unsuitable," says CX CTO Jan Vandenbos.
Anthony Roby, a senior executive in Accenture's advanced systems and technology group, says the word "framework" is often misused, and offerings such as Eucalyptus or OpenStack are "not frameworks at all," but "products you can extend or use to build your own infrastructure cloud." However, most observers define frameworks as software building blocks used to create cloud-based services for users.
The role of open source
Open-source projects range from "pure" open-source development initiatives directed by nonprofit foundations that aren't associated with any commercial vendors, to those getting financial, marketing and development help from leading companies.
Canonical, which provides support for open-source efforts and plays a leading role in Ubuntu, has seen interest in open source "from the Fortune 50 to a ton of SMBs and startup companies," says Kyle McDonald, head of cloud at Canonical. Most of the company's OpenStack business has come from Fortune 1,000 companies seeking to reduce software costs, he says.
Over the past five years, "there's been a sea change towards open source being viewed as [a] safer bet" than proprietary software, says Chris Haddad, vice president of technology evangelism at PaaS framework provider WSO2. With the rising quality of open-source software, and the backing of major vendors, "large commercial organizations do not see it as a threat," he says. In fact, because of economic uncertainties, "to bet your farm on one company is not seen as a good decision these days," he adds.
Unlike developers working to meet the goals of a corporation subject to the ups and downs of the economy, open-source contributors "are writing software because that is what they love to do," says Conway.
While most early users of open-source products, such as Chef, were cloud providers that sold services to others customers, Robbins says he is "seeing a pretty quick shift to pretty rapid adoption in the enterprise" among banks, large media companies and other organizations that are building their own private clouds.
Most users, however, are not yet moving critical applications to the cloud, because they don't have the tools necessary to provide proper IT oversight and security, says Bryan Che, senior director of product management and marketing at Red Hat's cloud business unit. He says Red Hat's OpenShift will help meet these needs, in part by leveraging the security mechanisms already within Red Hat Enterprise Linux.
State Street overcomes security concerns by never acquiring open-source software directly from the Web, but only through trusted partners from which "we can get a support structure as well as the software," says chief architect Kevin Sullivan. Moreover, he says, the company also carefully checks contracts to ensure compliance with the terms of the license, and it scans all open-source software for malicious code.
WSO2 Stratos is already addressing such needs with products to support not only application development and deployment, but also integration, rules, business process management, governance, complex event processing and identity management, says Haddad.
Some observers question whether open-source frameworks really deliver the benefits they're said to offer -- such as portability among clouds providers. "Eucalyptus replicates some of the Amazon APIs, but if you're using something on Amazon [that] Eucalyptus doesn't support, you're out of luck," says Roby. "Similarly, if you're trying to run Java apps and using the Spring [application development] framework, you've got a fair amount of support." But as soon as a customer begins using features, such as data storage, that can't be accessed via Spring, those features may not run correctly with a different provider. Without the ability to move underlying services as well as the application code, he says, "you don't have any portability."
With open source, users (or a group of users) theoretically could take the source code and tweak it to meet their own needs if a vendor can't or won't. However, few users would want to do that, says Roby. "If you're a big telco, maybe you are interested in being able to change the code... but most organizations wouldn't do that. The last thing they want is to have their own specific variant of the product" that they would have to support, while losing the ability to take advantage of upgrades from others in the community, he says.
Creating a unique open-source "fork" is usually not something you want to do "unless you absolutely have to," agrees Conway, noting that the fork could stagnate without contributions from others.
Much buzz surrounds open source, but proprietary frameworks such as Microsoft Azure or Salesforce.com's Force.com can be better choices "if you have specific needs and that platform already has built-in [elements] to make the job easier," says Shriram Nataraj, senior director in the cloud technology practice at Persistent Systems, a global software development firm. "If you're already a Salesforce customer and want to migrate part of your workload onto a different platform, Force.com can be a very good option for you. If you're already an Office 365 customer and have workloads on [Microsoft's .Net framework]... it makes sense to go towards Microsoft Azure."
Good fits for open-source frameworks tend to include experimental cloud applications built by developers who are comfortable with newer, open-source tools. Other likely candidates include applications deployed by organizations such as universities or research labs, which have the technical skills to learn and work with these new technologies, and/or the need for specialized capabilities such as massive databases or advanced analytics, says Roby.
Typical apps deployed using open-source frameworks include Web and social applications, as well as mobile or customer-facing websites, says Jerry Chen, vice president of cloud and application services at Cloud Foundry. Such frameworks are also useful when organizations need to deploy applications quickly and scale them up and down as needed.
Legacy applications requiring hardware or software that may not be supported on the Web tend to be less attractive candidates. "While it is very possible to migrate many data center applications from local servers onto [virtual] cloud-based ones, the ROI is not always clear," says Bill Weinberg, senior director of Olliance Group at software and services provider Black Duck Software. "The downside can lie in potential security issues, divergent response to loading, throughput bottlenecks and availability."
OpenStack and Cloudscale are better choices for complex applications than Eucalyptus, says Nataraj, because they do a better job of hiding the complexity of networking. For an application that, for example, requires a user "to connect from a different IP range," a customer would "have to write custom code to make that happen with Eucalyptus," he says. With OpenStack, the "switches" required to make those new network connections are already present.
The number and quality of developers involved in an open-source project can also be a good indication of the project's quality, many observers say. If developers from several companies are involved, vendor lock-in is less likely to be a problem, says Nataraj.
Roby, however, suggests focusing on a commercial vendor's level of commitment, rather than that of the community. "It's largely a myth that there's a lot of new code being developed by a large group of people," he says. "Any of these successful products are developed by a small group of people," with the community at large "providing feedback and maybe doing testing or providing documentation."
Miles also warns of "token" open-source efforts by partnerships among major vendors. "If both those companies don't really rely on the product for revenue, at any point in time either or both will just walk away, and the product will die," he warns.
The unconventional licensing terms that some open-source developers impose on their software, such as one requiring that "the Software shall be used for Good, not Evil," raise eyebrows in corporate legal departments. Posing a more serious problem are licenses that require a company to share any enhancements with other members of the community -- which creates the possibility that the company may have to reveal "best practices" to competitors.
Most experts interviewed say mainstream licenses such as Apache's don't impose such troublesome requirements. In any case, says Conway, his staff's processes and skills are just as important as any code he shares with others. And, he points out, open source also lets him use improvements made by others.
Open-source cloud frameworks have the potential to make it far easier for organizations to meet changing business needs by quickly deploying Web applications across public and private clouds. But to get those benefits, IT architects must sift through the various meanings that different vendors have for their "frameworks" and whether each framework can deliver the level of ease of use they need to meet their specific requirements.
Scheier is a veteran technology writer. He can be reached at firstname.lastname@example.org.
Read more about cloud computing in Computerworld's Cloud Computing Topic Center.
This story, "Open-source cloud frameworks: A work in progress" was originally published by Computerworld.