UZH Experiences with OpenStack



Similar documents
Introducing ScienceCloud

Project Documentation

Cloud on TEIN Part I: OpenStack Cloud Deployment. Vasinee Siripoonya Electronic Government Agency of Thailand Kasidit Chanchio Thammasat University

2) Xen Hypervisor 3) UEC

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager Product Marketing Manager

Mobile Cloud Computing T Open Source IaaS

Introduction to Openstack, an Open Cloud Computing Platform. Libre Software Meeting

SMB in the Cloud David Disseldorp

การใช งานและต ดต งระบบ OpenStack ซอฟต แวร สาหร บบร หารจ ดการ Cloud Computing เบ องต น

Clodoaldo Barrera Chief Technical Strategist IBM System Storage. Making a successful transition to Software Defined Storage

Establishing Scientific Computing Clouds on Limited Resources using OpenStack

OpenStack Introduction. November 4, 2015

Cloud on TIEN Part I: OpenStack Cloud Deployment. Vasinee Siripoonya Electronic Government Agency of Thailand Kasidit Chanchio Thammasat

AMD SEAMICRO OPENSTACK BLUEPRINTS CLOUD- IN- A- BOX OCTOBER 2013

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Cloud n Service Presentation. NTT Communications Corporation Cloud Services

Deploying workloads with Juju and MAAS in Ubuntu 13.04

FleSSR Project: Installing Eucalyptus Open Source Cloud Solution at Oxford e- Research Centre

Building Storage as a Service with OpenStack. Greg Elkinbard Senior Technical Director

PowerVC 1.2 Q Power Systems Virtualization Center

Best Practices for Monitoring Databases on VMware. Dean Richards Senior DBA, Confio Software

Ubuntu OpenStack on VMware vsphere: A reference architecture for deploying OpenStack while limiting changes to existing infrastructure

Release Notes for Fuel and Fuel Web Version 3.0.1

Ubuntu OpenStack Fundamentals Training

DevOps in OpenStack Public Cloud 副 标 题 副 标 题 副 标 题 Presented at OpenStack Summit, Fall 2012, San Diego

How To Compare Cloud Computing To Cloud Platforms And Cloud Computing

Virtualization, SDN and NFV

CloudStack Release Notes

Agile Infrastructure: an updated overview of IaaS at CERN

SUSE Cloud Installation: Best Practices Using an Existing SMT and KVM Environment

CS 6343: CLOUD COMPUTING Term Project

version 7.0 Planning Guide

Automation and DevOps Best Practices. Rob Hirschfeld, Dell Matt Ray, Opscode

Installation Runbook for Avni Software Defined Cloud

NSi Mobile Installation Guide. Version 6.2

CS312 Solutions #6. March 13, 2015

Private Cloud in Educational Institutions: An Implementation using UEC

Comparing Ganeti to other Private Cloud Platforms. Lance Albertson

cloud functionality: advantages and Disadvantages

CLOUDSTACK VS OPENSTACK. Apache CloudStack: It Just Works for Service Providers

Installation Guide for contineo

Amazon Web Services Primer. William Strickland COP 6938 Fall 2012 University of Central Florida

SUSE Cloud 5 Private Cloud based on OpenStack

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Introduction to OpenStack

7 Ways OpenStack Enables Automation & Agility for KVM Environments

Acronis Storage Gateway

Comparing Open Source Private Cloud (IaaS) Platforms

Bright Cluster Manager

Design and Implementation of IaaS platform based on tool migration Wei Ding

CERN Cloud Infrastructure. Cloud Networking

CDH installation & Application Test Report

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

OpenStack: we drink our own Champagne. Teun Docter Software developer

RED HAT ENTERPRISE LINUX OPENSTACK PLATFORM

SUSE Cloud Installation: Best Practices Using a SMT, Xen and Ceph Storage Environment

AVG Business SSO Connecting to Active Directory

Develop a process for applying updates to systems, including verifying properties of the update. Create File Systems

Current unresolved challenges and issues in next generation cloud deployments in a virtual environment. Muhammad Adnan Malik

Quantum Hyper- V plugin

Appendix to; Assessing Systemic Risk to Cloud Computing Technology as Complex Interconnected Systems of Systems

Eylean server deployment guide

Installing and Administering VMware vsphere Update Manager

JOB ORIENTED VMWARE TRAINING INSTITUTE IN CHENNAI

ProphetStor Federator Runbook for Mirantis FUEL 4.1 Revision

About the VM-Series Firewall

F-Secure Internet Gatekeeper Virtual Appliance

In order to upload a VM you need to have a VM image in one of the following formats:

Amazon Elastic Beanstalk

A SHORT INTRODUCTION TO BITNAMI WITH CLOUD & HEAT. Version

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Gladinet Cloud Enterprise

Migration Strategies and Tools for the HP Print Server Appliance

Scyld Cloud Manager User Guide

Cloud Computing Solutions for Genomics Across Geographic, Institutional and Economic Barriers

13.1 Backup virtual machines running on VMware ESXi / ESX Server

OpenStack IaaS. Rhys Oxenham OSEC.pl BarCamp, Warsaw, Poland November 2013

Best Practices for Installing and Configuring the Hyper-V Role on the LSI CTS2600 Storage System for Windows 2008

How To Choose Between A Relational Database Service From Aws.Com

THE EUCALYPTUS OPEN-SOURCE PRIVATE CLOUD

Index C, D. Background Intelligent Transfer Service (BITS), 174, 191

How To Use Openstack At Cern

Operating Systems Virtualization mechanisms

How To Run A Cloud Server On A Server Farm (Cloud)

ClearPass Policy Manager 6.3

The VMware Administrator s Guide to Hyper-V in Windows Server Brien Posey Microsoft

How To Build A Cloud Stack For A University Project

INTRODUCTION TO CLOUD MANAGEMENT

VMUnify EC2 Gateway Guide

Transcription:

GC3: Grid Computing Competence Center UZH Experiences with OpenStack What we did, what went well, what went wrong. Antonio Messina <antonio.messina@uzh.ch> 29 April 2013

Setting up

Hardware configuration at UZH 25 mixed blades + 2 service machines. around 200 cores total. 12T for Cinder (block storage, similar to EBS) 12T for Swift (object storage, similar to S3) Gigabit network

Software configuration compute nodes installed via pxe/debseed with Ubuntu 12.04. OpenStack Folsom (late 2012) Deployment and configuration automated through CFEngine. no over-committing of CPUs or memory. (does not make really sense for HPC)

Network configuration no shared storage (no need to migrate instances). Swift storage (for users and for storing VM images). nova-network instead of quantum (quantum lacks of features and it s unstable). Flat networking (because of network constraints at UZH) Automatic assignment of public IPs.

Deployment phase Deploying OpenStack on a production environment is not straightforward: Hard to understand The Big Picture. Many services involved. Configuration not easy to automate/replicate. 1 Documentation does not always help (see next slides). @UZH: 1 month for a very basic setup. 1 you often need to issue commands and parse their output; a configuration file would be easier for automation.

What we didn t like

Official documentation and community guides Covers the trivial case, which is not usually the one you want to implement in production. Many HOWTOs, no decent Reference Guide or Administrator Manual. Often not up to date or incorrect! The OpenStack Operations Guide recently published helps a bit.

Official documentation and community guides Covers the trivial case, which is not usually the one you want to implement in production. Many HOWTOs, no decent Reference Guide or Administrator Manual. Often not up to date or incorrect! The OpenStack Operations Guide recently published helps a bit.

Projects - current implementation Each user can belong to multiple projects. Each user can have different roles in different projects. Images, instances, swift containers and objects always belong to one and only one project. Images, instances, swift containers and objects can either be public or private to the project. Sharing is done only using projects

Projects - current implementation Each user can belong to multiple projects. Each user can have different roles in different projects. Images, instances, swift containers and objects always belong to one and only one project. Images, instances, swift containers and objects can either be public or private to the project. Sharing is done only using projects

Projects - current implementation Each user can belong to multiple projects. Each user can have different roles in different projects. Images, instances, swift containers and objects always belong to one and only one project. Images, instances, swift containers and objects can either be public or private to the project. Sharing is done only using projects

Projects - current implementation Each user can belong to multiple projects. Each user can have different roles in different projects. Images, instances, swift containers and objects always belong to one and only one project. Images, instances, swift containers and objects can either be public or private to the project. Sharing is done only using projects

Projects - current implementation Each user can belong to multiple projects. Each user can have different roles in different projects. Images, instances, swift containers and objects always belong to one and only one project. Images, instances, swift containers and objects can either be public or private to the project. Sharing is done only using projects

Projects - why this is bad (sharing) A user belongs to one single group at the time. you cannot use an image from project A and run it in project B you cannot access a *volume* from Project A when running as member of project B You cannot share something with just one user.

Projects - why this is bad (sharing) A user belongs to one single group at the time. you cannot use an image from project A and run it in project B you cannot access a *volume* from Project A when running as member of project B You cannot share something with just one user.

Projects - why this is bad (sharing) A user belongs to one single group at the time. you cannot use an image from project A and run it in project B you cannot access a *volume* from Project A when running as member of project B You cannot share something with just one user.

Projects - why this is bad (security) Security is clearly not top-priority for the OpenStack development team. Each member of a project can: terminate everybody s instances. delete everybody s images. A user cannot change its own password (for security reasons!?!) If you have the admin role on a project, you are the administrator OF THE WHOLE OPENSTACK INSTALLATION!

Projects - why this is bad (security) Security is clearly not top-priority for the OpenStack development team. Each member of a project can: terminate everybody s instances. delete everybody s images. A user cannot change its own password (for security reasons!?!) If you have the admin role on a project, you are the administrator OF THE WHOLE OPENSTACK INSTALLATION!

Projects - why this is bad (security) Security is clearly not top-priority for the OpenStack development team. Each member of a project can: terminate everybody s instances. delete everybody s images. A user cannot change its own password (for security reasons!?!) If you have the admin role on a project, you are the administrator OF THE WHOLE OPENSTACK INSTALLATION!

Projects - why this is bad (security) Security is clearly not top-priority for the OpenStack development team. Each member of a project can: terminate everybody s instances. delete everybody s images. A user cannot change its own password (for security reasons!?!) If you have the admin role on a project, you are the administrator OF THE WHOLE OPENSTACK INSTALLATION!

Security (networking) (1/2) (talking about nova-network, not quantum) Security groups only protect you from machines on different networks by default. You cannot change the security group of a VM while it s running. 2 FlatDHCP network driver is the easiest to setup but does not support any network separation between projects. 2 You can change the rules of the chosen security group, but this will affect also other instances.

Security (networking) (2/2) The VLAN network driver allows network separation but at cost of increased complexity: must create one VLAN for each group on all the switches. must create a network for each project. steps hard to automate! (need specific support on the switches) Quantum should solve some of these issues, but the complexity is even bigger!

Other security concerns In the past, many nasty bugs were found on various OpenStack components Weak authentication for services (passwords instead of SSL certificates). Files containing sensible passwords are usually world-readable. By default API services does not use SSL certificates (should be a requirement). Just to say one: glance stores its swift login and password with each image URL in the internal database.

What we actually liked

What we like (1/2) Basic workflow works well and it s reliable: start/stop machines create/delete images create/delete snapshots associate public IPS security groups (for public IPs) nova-network with a basic setup works without issues. scaling of VMs.

What we like (2/2) web interface is essential but easy to use. powerful command lines. Decent EC2 API compatibility. Very important to produce tools that can work both with Amazon and OpenStack Responsive community.

Future works

Future works Implement High-Availability for central services. Testing alternative storage systems Different use cases need different storages. thinking of moving from swift to Ceph. taking a look to quantum (but not so close) DO NOT update to Grizzly (yet) It s nice to have the latest shiny features but it s even better to have a working, reliable system.

Questions?