Difficulty: intermediate

Estimated Time: 40 minutes

In this scenario you will create two Fn functions - with identical, fully generated implementation. You choose your runtime of choice - node, java, python, go, .... Both functions are deployed to an application. Both functions are exposed in an API Gateway API Deployment with separate routes. Finally, for both routes are Health Checks defined through OCI Monitoring; one health check will have a 5 min interval, the other a 15 minute interval. Inspecting the metrics collected by these healthchecks - we expect one function to remain hot and producing much faster responses than the second function that will not stay hot and needs to be reinitialized upon every health check request. The scenario uses an Ubuntu 20.04 environment with Docker, OCI CLI and Fn CLI as well Visual Studio Code IDE. Before you can start the steps in the scenario, the two Command Line interfaces are downloaded and installed. This will take about one minute.

The scenario expects a number of preparations:

an API Gateway already has been provided in compartment lab-compartment with permissions to access functions in this compartment; the API Gateway is associated with a public subnet (this is part of the OCI Tenancy Preparation Scenario)

Note: it is assumed that you prepared an OCI tenancy using the Katacoda scenario Preparation of Cloud Trial tenancy for REAL OCI scenarios. This preparation will have created the VCN you need for running functions in OCI as well as the lab-compartment in which the functions are created. Additionally, you should have created a key pair in this scenario and prepared the contents of the config and oci_api_key.pem files. If you have not gone through this OCI tenancy preparation, please do so before continuing with this scenario. You also need an Auth Token to login to the OCIR Container Registry; this too is created in the preparation scenario and used in the Function on OCI scenario.

The scenario was prepared in July 2020.

Summary

This completes this scenario.

You have:

created and deployed two functions - hello1 and hello2
created publicly accessible routes for the two functions in the API Gateway
created health checks for the two routes (and indirectly the two functions)
create alarms for the two health checks - to publish notifications when the function invocation time is slowish

Your environment is currently being packaged as a Docker container and the download will begin shortly. To run the image locally, once Docker has been installed, use the commands

cat scrapbook_redexpertalliance_oci-course/oci-functions-apigateway-healthcheck_container.tar | docker load

docker run -it /redexpertalliance_oci-course/oci-functions-apigateway-healthcheck:

Restart Scenario

Next Scenario

Functions, Object Storage and API Gateway on Oracle Cloud Infrastructure

Step 1 of 5

Step 1 - Prepare Environment Settings, Fn and OCI CLI

Wait for OCI CLI and Fn CLI to be installed

Execute the following command to install the OCI CLI:

curl -L https://raw.githubusercontent.com/oracle/oci-cli/master/scripts/install/install.sh > install-oci-cli.sh
chmod +777 install-oci-cli.sh
sudo ./install-oci-cli.sh --accept-all-defaults

# add this line to ~/.profile - to make oci a recognized shell command
echo 'oci() { /root/bin/oci "[email protected]"; }' >> ~/.profile
# reload ~/.profile
. /root/.profile
# now oci is recognized as a command

# get workshop resource into scenario

git clone https://github.com/AMIS-Services/oracle-cloud-native-meetup-20-january-2020

You need to provide details on the OCI tenancy you will work in and the OCI user you will work as. Please open the IDE tab and edit these two files:

~/.oci/config
~/.oci/oci_api_key.pem

Paste the contents that you prepared in the OCI Tenancy preparation scenario.

Set the environment variable LAB_ID to 1 - unless you are in a workshop with multiple participants and each uses their own number.

export LAB_ID=1

Do not continue until you see the file /root/allSetInBackground appear. If it appears, then the OCI CLI has been installed and you can continue.

Try out the following command to get a list of all namespaces you currently have access to - based on the OCI Configuration defined above.

oci os ns get

If you get a proper response, the OCI is configured correctly and you can proceed. If you run into an error, ask for help from your instructor.

You need to perform one more edit action on file ~/.oci/config. Open this file in the editor. Copy the entire contents and paste it below the current contents. Now change [DEFAULT] to [FN] in the duplicate block. The file will now look something like:

[DEFAULT]
user=ocid1.user.oc1..aaaaaaaazr7eselv5q
fingerprint=fd:db:13:bd:31
tenancy=ocid1.tenancy.oc1..aaaaaaaaggg6okq
region=us-ashburn-1
key_file=/root/.oci/oci_api_key.pem
[FN]
user=ocid1.user.oc1..aaaaaaaazr7eselv5q
fingerprint=fd:db:13:bd:31
tenancy=ocid1.tenancy.oc1..aaaaaaaaggg6okq
region=us-ashburn-1
key_file=/root/.oci/oci_api_key.pem

Environment Preparation

Check the installed version of Fn CLI. Note: we do not need the Fn server at this stage.

fn version

Configure and set remote context

List the currently available Fn contexts

fn list contexts

Create an appropriate Fn context for working with OCI as provider (see OCI Docs on Functions).

fn create context lab-fn-context --provider oracle

fn use context lab-fn-context

##Prepare a number of environment variables.

Note: the assumptions here are that you have a compartment called lab-compartment, as well as an API Gateway lab-apigw in that same compartment as well as an API Deployment called MY_API_DEPL# on the API Gateway. We need to get references to these resources in order to create new resources in the right place.**

export REGION=$(oci iam region-subscription list | jq -r '.data[0]."region-name"')
export REGION_KEY=$(oci iam region-subscription list | jq -r '.data[0]."region-key"')
export USER_OCID=$(oci iam user list --all | jq -r  '.data |sort_by(."time-created")| .[0]."id"')
export TENANCY_OCID=$(oci iam user list --all | jq -r  '.data[0]."compartment-id"') 
cs=$(oci iam compartment list)
export compartmentId=$(echo $cs | jq -r --arg display_name "lab-compartment" '.data | map(select(."name" == $display_name)) | .[0] | .id')

apigws=$(oci api-gateway gateway list -c $compartmentId)
export apiGatewayId=$(echo $apigws | jq -r --arg display_name "lab-apigw" '.data.items | map(select(."display-name" == $display_name)) | .[0] | .id')
depls=$(oci api-gateway deployment list -c $compartmentId)
deploymentEndpoint=$(echo $depls | jq -r --arg display_name "MY_API_DEPL_$LAB_ID" '.data.items | map(select(."display-name" == $display_name)) | .[0] | .endpoint')
apiDeploymentId=$(echo $depls | jq -r --arg display_name "MY_API_DEPL_$LAB_ID" '.data.items | map(select(."display-name" == $display_name)) | .[0] | .id')
vcns=$(oci network vcn list -c $compartmentId)
vcnId=$(echo $vcns | jq -r --arg display_name "vcn-lab" '.data | map(select(."display-name" == $display_name)) | .[0] | .id')
subnets=$(oci network subnet list  -c $compartmentId --vcn-id $vcnId)
export subnetId=$(echo $subnets | jq -r --arg display_name "Public Subnet-vcn-lab" '.data | map(select(."display-name" == $display_name)) | .[0] | .id')
# get namespace
nss=$(oci os ns get)
export ns=$(echo $nss | jq -r '.data')

Update the context with the settings relevant for this workshop.

fn update context oracle.compartment-id $compartmentId

fn update context api-url https://functions.$REGION.oci.oraclecloud.com

fn update context registry ${REGION_KEY,,}.ocir.io/$ns/cloudlab-repo

fn update context oracle.profile FN

You can list the currently available Fn contexts again and see whether your changes had an effect (of course they did)

fn list contexts

Next and finally, login to the private Docker Registry that is prepared for you on OCI.

The username you have to provide is composed of <tenancy-namespace>/<username>.

NAMESPACE=$(oci os ns get| jq -r  '.data')
USER_USERNAME=$(oci iam user list --all | jq -r  '.data |sort_by(."time-created")| .[0]."name"')
echo "Username for logging in into Container Registry is $NAMESPACE/$USER_USERNAME"

The password is an Authentication Token generated for the specified user, in the OCI Tenancy preparation scenario. If you do not remember the authentication token, you can generate another one in the OCI Console: https://console.REGION.oraclecloud.com/identity/users//swift-credentials or using the instructions in the preparation scenario.

echo "Open the console at https://console.${REGION,,}.oraclecloud.com/identity/users/$USER_OCID/swift-credentials"

Now you can perform the login. Type the username and press enter, then type or paste the authentication token and press enter again.

docker login ${REGION_KEY,,}.ocir.io

And now we are finally ready to create Functions on Oracle Cloud Infrastructure and expose them through OCI API Gateway.

Step 2 - Create and Deploy Two Functions

Creating, Deploying and Invoking a Functions on OCI

In this step we will create two simple, identifical function with Fn. We pick Node (JS) as our runtime - Go, Python, Java and Ruby are other out of the box options that you may use.

export function1=hello1$LAB_ID

fn init --runtime node $function1
cd $function1

Three files have been created in the new directory hello1#.

ls

You could open func.js in the text editor to see the generated functionality.

Create Application

The application that will act as the container for the two functions probably already exists; however, just to be sure let's try to create it (if this statement fails because the application already exists, that is fine):

fn create app "lab$LAB_ID" --annotation "oracle.com/oci/subnetIds=[\"$subnetId\"]"

See the list of applications - that should include your new application:

fn list apps

Deploy the Function

Deploy the Function hello1#, into an app that was created beforehand. At this stage a container image is built to host and run the function. This container image is pushed to the Oracle Container Registry on OCR. It is this image that is used to start a container from when the function is (first) invoked.

fn -v deploy --app "lab$LAB_ID"

Time to invoke the function. The command for invoking the function is simply: fn invoke <app-name> <function-name>:

fn invoke "lab$LAB_ID" $function1

The first call may take a while because of the cold start of the function. During cold start, the container image is used to start a new container from the image that was built and pushed. If you call the function a second and third time, it is bound to go a lot quicker - because the container will hang a round for a bit. After ten minutes or so of inactivity, the container will be stopped and the next function call after that will suffer again from cold start.

Note: if you get an error message that looks like "Error invoking function. status: 502 message: dhcp options ocid1.dhcpoptions.oc1.iad.ac5aeaq does not exist or Oracle Functions is not authorized to use it", it is probably caused by the fact that:

the lab-compartment does not have a VCN
or the VCN does not have a public subnet
or the public subnet does not have an Ingress Rule to allow incoming traffic on port 443
or the FaaS Service is not granted access to VCN and network resources in lab-compartment through a policy

All of the above should have been prepared in the OCI Tenancy Preparation scenario.

To send in a JSON object as input to the function, use the following command:

echo -n '{"name":"Your Own Name"}' | fn invoke "lab${LAB_ID}" "$function1" --content-type application/json

Again, a friendly, this time personalized welcome message should be your reward - coming from the cloud.

Create the second function hello2 in the exact same manner

cd /root
export function2=hello2$LAB_ID

fn init --runtime node $function2
cd $function2
fn -v deploy --app "lab$LAB_ID"
fn invoke "lab$LAB_ID" $function2

Both functions should now be deployed and ready to be exposed through API Gateway.

Step 3 - Expose Functions through API Gateway Routes

Expose Functions through API Gateway

In this step, you will create an API Deployment on a preexisting API Gateway with routes for the two functions created in the previous step.

Create a file called api_deployment.json in the current directory with this contents.

cd ..
touch api_deployment.json

Copy the definition of the route /stock to the api_deployment.json file:

{
  "routes": [
    {
      "path": "/stock",
      "methods": ["GET"],
      "backend": {
        "type": "STOCK_RESPONSE_BACKEND",
        "body": "{\"special_key\":\"Special Value\"}",
        "headers":[],
        "status":200
      }
    }
  ]
}

It is possible that the API Gateway Deployment already exists from a previous scenario, in which case the next create command will fail. Which is fine. Create the API Deployment in API Gateway lab-apigw with the following command: `oci api-gateway deployment create --compartment-id $compartmentId --display-name MY_API_DEPL_$LAB_ID --gateway-id $apiGatewayId --path-prefix "/my-depl$LAB_ID" --specification file://./api_deployment.json`{{execute}} It will take a few seconds - up to 15-20 seconds - for the new API Deployment to be created. You can check the progress of the creation in the OCI Console. ``` depls=$(oci api-gateway deployment list -c $compartmentId) deploymentEndpoint=$(echo $depls | jq -r --arg display_name "MY_API_DEPL_$LAB_ID" '.data.items | map(select(."display-name" == $display_name)) | .[0] | .endpoint') apiDeploymentId=$(echo $depls | jq -r --arg display_name "MY_API_DEPL_$LAB_ID" '.data.items | map(select(."display-name" == $display_name)) | .[0] | .id') apps=$(oci fn application list -c $compartmentId) labApp=$(echo $apps | jq -r --arg display_name "lab$LAB_ID" '.data | map(select(."display-name" == $display_name)) | .[0] | .id') funs=$(oci fn function list --application-id $labApp) hello1Fun=$(echo $funs | jq -r --arg display_name "$function1" '.data | map(select(."display-name" == $display_name)) | .[0] | .id') echo "OCID for hello function : $hello1Fun" hello2Fun=$(echo $funs | jq -r --arg display_name "$function2" '.data | map(select(."display-name" == $display_name)) | .[0] | .id') echo "OCID for hello function : $hello2Fun" ```{{execute}} Open the new file *api_deployment.json* in the text editor and copy the definitions of the routes */hello1* and */hello2* to the api_deployment.json file. The /hello1 and hello2 routes accept both GET and POST requests - but not PUT, DELETE and others. The routes are of type ORACLE_FUNCTIONS_BACKEND and have the two new Functions as their targets. Replace `function hello1 ocid` and `function hello2 ocid` in the file with the OCID that was found just now.

{
  "routes": [
    {
      "path": "/hello1",
      "methods": ["GET","POST"],
      "backend": {
        "type": "ORACLE_FUNCTIONS_BACKEND",
        "functionId": "function hello1 ocid"
      }
    },    
    {
      "path": "/hello2",
      "methods": ["GET","POST"],
      "backend": {
        "type": "ORACLE_FUNCTIONS_BACKEND",
        "functionId": "function hello2 ocid"
      }
    }
  ]
}

Update the API Deployment in API Gateway lab-apigw with the following command:

oci api-gateway deployment update --deployment-id $apiDeploymentId --specification file://./api_deployment.json

Confirm the update in the terminal window.

It will take a few seconds (up to 15 seconds) for the API Gateway to synchronize its definition with the new specification. When the API Gateway deployment is updated, you can start using the new route.

You can check on the state of the API Deployment and the current update (called a workrequest) in the OCI Console. Execute this command to get the URL to the Console:

echo "Your OCI Console Endpoint to inspect your API Deployment's current state: https://console.$REGION.oraclecloud.com/api-gateway/gateways/$apiGatewayId/deployments/$apiDeploymentId/workrequests"

Invoke the Hello Function - Now publicly exposed through API Gateway

Using curl you can now invoke the route that leads to the function hello that you created in a previous scenario, and POST an input message to the function.

curl -X "POST" -H "Content-Type: application/json" -d '{"name":"Bob Hello 1"}' $deploymentEndpoint/hello1

And the second endpoint:

curl -X "POST" -H "Content-Type: application/json" -d '{"name":"Bob Hello 2"}' $deploymentEndpoint/hello2

Feel free to invoke the function in Postman and/or in your Browser, using its endpoint:

echo "Function Hello's Endpoint $deploymentEndpoint/hello1 and $deploymentEndpoint/hello2"

Step 4 - Create Monitor Healthchecks for the two Routes

Create Monitor Healthchecks for the two Routes

In this step, you will create Healthchecks for the two routes and the two functions. One healthcheck with an interval of 5 minutes, the other with an interval of 15 minutes.

Create a Healthcheck for the /hello1 function, with the an interval of 5 minutes:

(some preparations are necessary to get the environment variable apiGatewayServer in the right shape - without http:// and without /path)s

export apiGatewayURL=${deploymentEndpoint///my-depl$LAB_ID/}
export apiGatewayServerX=${apiGatewayURL/https:/} 
apiGatewayServerY=$(echo "$apiGatewayServerX" | tr  '//' ' ') 
apiGatewayServer=$(echo "$apiGatewayServerY" | tr  -d "[:space:]") 

oci health-checks http-monitor create --compartment-id=$compartmentId --display-name="Check on Health of Hello 1 function" --interval-in-seconds=300 --targets="[\"$apiGatewayServer\"]" --method=GET --path="/my-depl$LAB_ID/hello1"  --port=443 --protocol=HTTPS --vantage-point-names="[\"aws-lhr\"]"

Now create the second health check for function hello2 with an interval of 900 seconds (15 minutes) (use only one vantage point otherwise the second one will benefit from the function activation by the first one):

oci health-checks http-monitor create --compartment-id=$compartmentId --display-name="Check on Health of Hello 2 function" --interval-in-seconds=900 --targets="[\"$apiGatewayServer\"]" --method=GET --path="/my-depl$LAB_ID/hello2"  --port=443 --protocol=HTTPS --vantage-point-names="[\"aws-lhr\"]"

Findings for the health checks take about one minute to become available. They can be inspected in the console and through queries to the monitoring API. This statement returns all health check metrics - grouped by vantage point.

oci monitoring metric-data summarize-metrics-data --compartment-id=$compartmentId --namespace="oci_healthchecks" --query-text="HTTP.TotalDuration[1m]{resourceDisplayName = \"Check on Health of Hello 1 function\"}.mean()"

It is probably easier to inspect the findings from the healthchecks in the console. Note: we expect both healthchecks to report health all the time. However we expect a substantial difference in the total HTTP Processing Time. We expect function hello1 to stay hot - because every time before it could go cold, it is invoked again by the Health Check. Function hello2 by contrast goes cold after each healthcheck and therefore every healthcheck takes the hit of reinitializing the cold function. This should result in a significant difference between the metrics for the two healthchecks.

Step 5 - Create an Alarm for the Healthcheck Metrics

Create an Alarm for the Healthcheck Metrics

In this final step, you will create an alarm that reports a notification when the average HTTP Processing time is longer than 2 seconds for the two healthchecks we have created. As stated before, we expect the healthcheck for function hello2 (the cold function) to trigger the alarm.

The steps we will go through:

create notification topic lab-notification-topic-$LAB_ID
create alarms for both healthchecks - associated with notification topic

This next command creates a Notification Topic called lab-notification-topic-$LAB_ID. oci ons topic create --compartment-id=$compartmentId --name=lab-notification-topic-$LAB_ID --description="notification topic gets notified for lab alarms"

List all Notification Topics in compartment lab-compartment and verify that a new topic has been created: oci ons topic list --compartment-id=$compartmentId --output table

Get hold of Topic OCID

export ONS_TOPIC_OCID=$(oci ons topic list --compartment-id=$compartmentId | jq -r --arg name "lab-notification-topic-$LAB_ID" '.data | map(select(."name" == $name)) | .[0] | ."topic-id"')
echo "OCID for the Notification Topic lab-notification-topic-$LAB_ID  = $ONS_TOPIC_OCID"

Create the two alarms that trigger when the function execution from the health checks takes longer than 2000 ms:

oci monitoring alarm create --compartment-id=$compartmentId --display-name=lab-poor-function-hello1-response-$LAB_ID --destinations="[\"$ONS_TOPIC_OCID\"]"  --display-name="Function hello1 response takes a long time" --metric-compartment-id=$compartmentId --namespace="oci_healthchecks"  --query-text="HTTP.TotalDuration[1m]{resourceDisplayName = \"Check on Health of Hello 1 function\"}.mean() > 2000"  --severity="INFO" --body="The execution of function hello1 took quite long" --pending-duration="PT5M"  --resolution="1m" --is-enabled=true

oci monitoring alarm create --compartment-id=$compartmentId --display-name=lab-poor-function-hello2-response-$LAB_ID --destinations="[\"$ONS_TOPIC_OCID\"]"  --display-name="Function hello2 response takes a long time" --metric-compartment-id=$compartmentId --namespace="oci_healthchecks"   --query-text="HTTP.TotalDuration[1m]{resourceDisplayName = \"Check on Health of Hello 2 function\"}.mean() > 2000"   --severity="INFO" --body="The execution of function hello2 took quite long" --pending-duration="PT5M"  --resolution="1m" --is-enabled=true

Now you have to sit back and relax - and see whether any alarm will start firing.

You can check the alarms status most easily in the console: Check out the alarm definition - and its current state - in the console : echo "Open the Console at URL https://console.$REGION.oraclecloud.com/monitoring/alarms"

or through the CLI

oci monitoring alarm list --compartment-id=$compartmentId --output table

Findings

Your findings can be different from mine. Mine were not as clear as I had expected them to be. The chart for total http duration for function 1 - with two vantage points, over a period of 6 hours - looked as follows: The closer vantage point reporting between 100 and and 300ms most of times.

The similar chart for function2 - with calls only every 15 minutes, a period long enough for the function to go cold (or so I believed) in the absence of other calls - came out as follows: With a few reports around 2000 ms - presumably when the function had to be reinitialized - most reports indicate a value of 140 ms, on par with the best findings for function1. It would seem that function2 does not nearly grow cold as often as I had anticipated.

I would like to repeat the experiment with a longer interval than 15 minutes - but unfortunately that is the longest interval we can set for health checks.

Terminal

IDE

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Functions, Object Storage and API Gateway on Oracle Cloud Infrastructure

Congratulations!

You've completed the scenario!

Scenario Rating

Summary

Steps

Functions, Object Storage and API Gateway on Oracle Cloud Infrastructure

Step 1 - Prepare Environment Settings, Fn and OCI CLI

Wait for OCI CLI and Fn CLI to be installed

Environment Preparation

Step 2 - Create and Deploy Two Functions

Creating, Deploying and Invoking a Functions on OCI

Create Application

Deploy the Function

Create the second function hello2 in the exact same manner

Step 3 - Expose Functions through API Gateway Routes

Expose Functions through API Gateway

Invoke the Hello Function - Now publicly exposed through API Gateway

Step 4 - Create Monitor Healthchecks for the two Routes

Create Monitor Healthchecks for the two Routes

Step 5 - Create an Alarm for the Healthcheck Metrics

Findings

Welcome!

Functions, Object Storage and API Gateway on Oracle Cloud Infrastructure

Congratulations!

You've completed the scenario!

Scenario Rating

Summary

Steps

Functions, Object Storage and API Gateway on Oracle Cloud Infrastructure

Step 1 - Prepare Environment Settings, Fn and OCI CLI

Wait for OCI CLI and Fn CLI to be installed

Environment Preparation

Login Docker to OCI Container Registry

Step 2 - Create and Deploy Two Functions

Creating, Deploying and Invoking a Functions on OCI

Create Application

Deploy the Function

Create the second function hello2 in the exact same manner

Step 3 - Expose Functions through API Gateway Routes

Expose Functions through API Gateway

Invoke the Hello Function - Now publicly exposed through API Gateway

Step 4 - Create Monitor Healthchecks for the two Routes

Create Monitor Healthchecks for the two Routes

Step 5 - Create an Alarm for the Healthcheck Metrics

Findings

Help

Vim

Welcome! Connect to start

...or sign up using your email

Sign up using your email

You’ll love Katacoda

Guided Path

Learn By Doing

Stay up-to-date

Welcome back! Connect to start

...or log in using your email

Log in using your email

You’ll love Katacoda

Guided Path

Learn By Doing

Stay up-to-date

Welcome! Enter your email address to connect

😺

Have some feedback for us? Please tell us what's happening so we can improve Katacoda.

Creating Katacoda Scenarios

Debugging Scenarios

Tips

Debug Information