Enterprise Private Cloud Fast and Secure App Deployment with OpenStack (Part 2)

Enterprise Private Cloud Fast and Secure App Deployment with OpenStack (Part 2) Introduction Welcome to this Oracle Open World lab thanks for joining us. This lab will take you through the basics of using OpenStack on Oracle Solaris 11 and install applications into newly created VM instances. OpenStack is a popular open source cloud infrastructure that has been integrated into Oracle Solaris 11.2. OpenStack includes a number of services that help you manage the compute, storage and network resources in your data center through a central web based dashboard. These services can be summarized as the following: Service Name Nova Cinder Neutron Keystone Glance Horizon Description Compute virtualization Block storage Software Defined Networking (SDN) Authentication between cloud services Image management and deployment Web based dashboard For this lab and the time allocated to us, we will deploy a new VM instance using OpenStack and install the Oracle Database 12c into it. After successfully installing the database and ensuring that it runs correctly, we will create a golden image in which to rapidly clone this environment across the cloud. In the second half of this lab, we will explore some of the compliance and security features included in Oracle Solaris 11 and demonstrate a typical compliance lifecycle used in the cloud, and how we can help lock VMs down from an external attack.

Lab Setup This lab has the following set up: Oracle Solaris 11.2 (root password is solaris11) Hostname of solaris, IP address range of 10.158.56.0/21 IPS repository clone at /repository/publishers/solaris Oracle Database 12c installation files located in /root/ and an Oracle Database 12c installation response file located at /root/db_install.rsp To start with, open up a Terminal window in the host OS and start an SSH connection with root/solaris11 as the user/password combination: # ssh root@10.158.56.x Password: Oracle Corporation SunOS 5.11 11.2 June 2014 1. Provision a VM instance Before we install the Oracle Database, we will need to create a VM instance to install it to. We will also need to log into the OpenStack Horizon dashboard located at http://10.158.56.x/horizon (matching the IP address provided to you) and install an instance. Use dba/oracledba as the user/password combination to log in.

Once you have successfully logged in, we will need to do a number of different things. Firstly, let s navigate to the Access and Security menu to associate a new SSH keypair: There are no keypairs currently defined. Let s go ahead by clicking the Import Keypair button. In our case let s use the SSH public key of our global zone: root@solaris:~# cat.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0Khp4Th5VcKQW4LttqzKAR8O60gj43cB0CbdpiizEhXEbVgjI7IlnZlo9i SEFpJlnZrFQC8MU2L7Hn+CD5nXLT/uK90eAEVXVqwc4Y7IVbEjrABQyB74sGnJy+SHsCGgetjwVrifR9fkxFHg jxxkounxrpme86hdjrpzljfgyzzezjrtd1erwvnshhjdzmuac7cilfjen/wssm8tosakh+zwehwy3o08nzg2iw dmimpbwpwtrohjsh3w7xkde85d7uzebnjpd9kdaw6omxsy5clgv6geouexz/j4k29worr1xkr3jirqqlf3kw4y uk9jui/gphg2ltohisgjoelorq== root@solaris Having successfully imported the SSH keypair, let s now create a network for this instance. Choose the Networks menu entry to get the following screen:

There are no networks currently defined. Let s create a network by clicking on the Create Network button. Let s create a network called mynetwork with a subnet called mysubnet using the 192.168.x.0/24 address range. This means that instances that choose this network will be created within this range starting at 192.168.x.3. Use the unique IP that was assigned to your laptop e.g. 10.158.56.x Once we create our network, we should see it successfully created in the following screen:

Now we are ready to launch a new instance. Choose the Instances menu entry to get the following screen: Let s launch a new instance by clicking on the Launch Instance button. We will call our instance myinstance. We will give it an Oracle Solaris non- global zone medium flavor. Flavors represent the size of the resources that we should give this instance. We can see here that we will get a root disk of 10GB and 2,048MB RAM. We will choose to boot this instance from the image that s stored in Glance that we uploaded called Base Zone.

Once we are happy with the Details tab, we can move onto the Access & Security tab. We can see that our keypair has been pre- selected, so we can immediately move on to the Networking tab. Here we will need to select mynetwork as our next. Once we have finished this, we can click on the Launch button.

After a little bit of time we can see that our instance has successfully. Depending on what you chose for your subnet address space, your instance may have a slightly different IP. We are now ready to log into this instance. In this lab we took the simple path of just setting up an internal network topology. In a typical cloud environment we would set up an external network that VMs could communicate through to the outside world. To access these VMs, we will need to access them through the global zone. root@solaris:~# ssh root@192.168.66.3 The authenticity of host '192.168.66.3 (192.168.66.3)' can't be established. RSA key fingerprint is 89:64:96:91:67:ab:6b:35:58:37:35:b8:ab:f3:e5:98. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.66.3' (RSA) to the list of known hosts. Last login: Thu Sep 11 00:33:57 2014 Oracle Corporation SunOS 5.11 11.2 June 2014 root@host-192-168-66-3:~# ipadm NAME CLASS/TYPE STATE UNDER ADDR lo0 loopback ok -- -- lo0/v4 static ok -- 127.0.0.1/8

lo0/v6 static ok -- ::1/128 net0 ip ok -- -- net0/dhcp inherited ok -- 192.168.66.3/24 2. Setting up an environment for the Oracle Database Now that we have successfully provisioned an instance, let s go ahead and start to install the Oracle Database. There are a number of required pre- requisites that we need to meet first in order to install the database. In this lab, we will meet the minimum requirements and install the database silently using a response file (as opposed to a graphical installation). Let s start by adding a new user called oracle, and assigning them to two groups oinstall and dba. # useradd -m oracle 80 blocks # groupadd oinstall # groupadd dba # usermod -g oinstall -G dba oracle Next, we will need to set up appropriate resource controls by creating a new project called user.oracle. In our case, we need to increase the default maximum number of file descriptors a given process can use. # projadd user.oracle # projmod -U oracle -sk "process.max-file-descriptor=(basic,65536,deny)" user.oracle # projmod -U oracle -sk "project.max-shm-memory=(priv,8589934592,deny)" user.oracle Let s also ensure that the correct software dependencies are installed. In Oracle Solaris 11.2 a new package called oracle- rdbms- server- 12-1- preinstall was added that provides all the dependent packages that you will need for an Oracle Database installation. Let s go ahead and install this. # pkg install oracle-rdbms-server-12-1-preinstall Packages to install: 11 Services to change: 2 Create boot environment: No Create backup boot environment: No DOWNLOAD PKGS FILES XFER (MB) SPEED Completed 11/11 254/254 5.0/5.0 0B/s PHASE ITEMS Installing new actions 644/644 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 1/1 Our next step will be to create a location in which we will install the Oracle Database to. For convenience we will install to the existing ZFS root pool, but we will create a new dataset for this. # zfs create rpool/apps # zfs set mountpoint=/apps rpool/apps

# zfs list rpool/apps NAME USED AVAIL REFER MOUNTPOINT rpool/apps 31K 31.4G 31K /apps Also, let s initially create an oracle sub- directory and ensure that the oracle user has the appropriate privileges. # mkdir /apps/oracle # chown -R oracle:dba /apps Finally, let s set the password of the oracle user to solaris11 and log into the account. # passwd oracle # su - oracle 3. Installing the Oracle Database The first thing we will need to do is copy over the Oracle Database installer files. For convenience we have provided them in the Global Zone which can be reached at 192.168.x.2 (this may change depending on the subnet value you chose). Once these are copied over, we will unpack the zip files. $ scp root@192.168.66.2:/files/*. $ unzip '*.zip' $ cd database We will use a response file to silently install the database. For this installation we will be installing the Enterprise Edition with a database only installation (as opposed to a database installation and configuration). For convenience we have provided db_install.rsp with the following contents: oracle.install.responsefileversion=/oracle/install/rspfmt_dbinstall_response_schema_v1 2.1.0 oracle.install.option=install_db_swonly ORACLE_HOSTNAME=solaris UNIX_GROUP_NAME=oinstall INVENTORY_LOCATION=/apps/oraInventory SELECTED_LANGUAGES=en ORACLE_HOME=/apps/oracle/oracledb12c ORACLE_BASE=/apps/oracle oracle.install.db.installedition=ee oracle.install.db.dba_group=dba oracle.install.db.backupdba_group=dba oracle.install.db.dgdba_group=dba oracle.install.db.kmdba_group=dba SECURITY_UPDATES_VIA_MYORACLESUPPORT=false DECLINE_SECURITY_UPDATES=true oracle.installer.autoupdates.option=skip_updates This response file can obviously be tailored for your own environment as required. Now we are ready to run the Oracle Database installer. $./runinstaller -silent -responsefile /export/home/oracle/db_install.rsp Starting Oracle Universal Installer... Checking Temp space: must be greater than 180 MB. Actual 796 MB Passed Checking swap space: must be greater than 150 MB. Actual 1749 MB Passed [WARNING] [INS-13014] Target environment does not meet some optional requirements. CAUSE: Some of the optional prerequisites are not met. See logs for details. /tmp/orainstall2014-09-28_02-25-07pm/installactions2014-09-28_02-25-07pm.log

ACTION: Identify the list of failed prerequisite checks from the log: /tmp/orainstall2014-09-28_02-25-07pm/installactions2014-09-28_02-25-07pm.log. Then either from the log file or from installation manual find the appropriate configuration to meet the prerequisites and fix it manually. You can find the log of this install session at: /apps/orainventory/logs/installactions2014-09-28_02-25-07pm.log The install will run through a long list of checks to ensure the environment meets the requirements before installing itself. Some of the optional requirements may fail do not worry about this, if left for a few minutes the database installation should succeed ok. You can always check the contents of /apps/orainventory/logs/installactions*.log to ensure that it has been successfully installed: The installation of Oracle Database 12c was successful. Please check '/apps/orainventory/logs/silentinstall2014-09-28_02-25-07pm.log' for more details. As a root user, execute the following script(s): 1. /apps/orainventory/orainstroot.sh 2. /apps/oracle/oracledb12c/root.sh Successfully Setup Software. Once the installation has finished, we will need to quickly run a few scripts as the root account as suggested by the installer and then log back into the oracle account again. $ logout # /apps/oracle/orainventory/orainstroot.sh Changing permissions of /apps/oracle/orainventory. Adding read,write permissions for group. Removing read,write,execute permissions for world. Changing groupname of /apps/oracle/orainventory to oinstall. The execution of the script is complete. # /apps/oracle/oracledb12c/root.sh Check /apps/oracle/oracledb12c/install/root_solaris_2014-09-28_14-51-55.log for the output of root script # su - oracle 4. Running the Oracle Database Let s check to see that the Oracle Database has been installed ok by testing it, and setup a default environment that we can use for this database. Set up the following environmental variables: $ export ORACLE_BASE=/apps/oracle $ export ORACLE_HOME=/apps/oracle/oracledb12c $ export ORACLE_SID=orcl $ export LD_LIBRARY_PATH=/apps/oracle/oracledb12c/lib $ export PATH=/apps/oracle/oracledb12c/bin:$PATH Let s also associate the site identifier (ORACLE_SID) with the database home (ORACLE_HOME) by updating the /var/opt/oracle/oratab file with the addition of the following line: orcl:/apps/oracle/oracledb12c:y

Let s also create an initialization parameter file for the ORACLE_SID by creating it at /apps/oracle/oracledb12c/dbs/initorcl.ora with the following contents: db_name='orcl' Now we can check to see if our Oracle Database instance is working by starting it and running a few SQLPlus commands: $ dbstart /apps/oracle/oracle12c Processing Database instance "orcl": log file /apps/oracle/oracledb12c/startup.log $ sqlplus /nolog SQL*Plus: Release 12.1.0.2.0 Production on Sun Sep 28 16:43:38 2014 Copyright (c) 1982, 2014, Oracle. All rights reserved. SQL> connect / as sysdba Connected. SQL> create database orcl; Database created. SQL> connect orcl as sysdba; Enter password: solaris11 Connected. SQL> create table participants( 2 first_name varchar2(25) not null, 3 last_name varchar2(25) not null); Table created. SQL> describe participants; Name Null? Type ----------------------------------------- -------- ---------------------------- FIRST_NAME NOT NULL VARCHAR2(25) LAST_NAME NOT NULL VARCHAR2(25) SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0-64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options Now that we have seen that it works ok, let s stop the database instance. $ dbshut /apps/oracle/oracle12c 5. Automatic restart of Oracle Database with SMF It would be nice if our golden image that we re creating for OpenStack could automatically start the Oracle Database on first boot. To achieve this we will integrate it with the Service Management Framework (SMF). SMF manages system services on Oracle Solaris 11, and provides high availability in the event of software or hardware failure. The first thing we ll do is to create an SMF manifest. This is a description of the service, and how it should be started or stopped. Oracle Solaris 11 provides a convenient way to create this manifest in its simplest form using the svcbundle command. Let s run it and provide start and stop methods as follows:

# svcbundle -s service-name=site/oracledb12c \ -s start-method="dbstart /apps/oracle/oracledb12c" \ -s stop-method="dbshut /apps/oracle/oracledb12c" -o oracledb12c.xml This will output a file oracledb12c.xml with a basic template that we can add to manually if desired. In our case, we do want to modify it slightly to ensure that the oracle user runs the database, and set the appropriate environmental variables. To do this, we need to add a method context to each exec_method for start and stop. Edit oracledb12c.xml and find the <exec_method/> XML tag as follows: Modify it to use the following instead: <exec_method timeout_seconds="60" type="method" name="start" exec="dbstart /apps/oracle/oracledbc12c"> <method_context> <method_credential user="oracle" group="dba"/> <method_environment> <envvar name="oracle_base" value="/apps/oracle"/> <envvar name="oracle_home" value="/apps/oracle/oracledb12c"/> <envvar name="oracle_sid" value="orcl"/> <envvar name="ld_library_path" value="/apps/oracle/oracledb12c/lib"/> <envvar name="path" value="/apps/oracle/oracledb12c/bin"/> </method_environment> </method_context> </exec_method> <exec_method timeout_seconds="60" type="method" name="stop" exec="dbshut /apps/oracle/oracledb12c"> <method_context> <method_credential user="oracle" group="dba"/> <method_environment> <envvar name="oracle_base" value="/apps/oracle"/> <envvar name="oracle_home" value="/apps/oracle/oracledb12c"/> <envvar name="oracle_sid" value="orcl"/> <envvar name="ld_library_path" value="/apps/oracle/oracledb12c/lib"/> <envvar name="path" value="/apps/oracle/oracledb12c/bin"/> </method_environment> </method_context> </exec_method> We now need to validate the file to make sure that we haven t made any errors. # svccfg validate oracledb12c.xml Finally, let s copy this file over to the site SMF manifest location and restart the manifest- import service: # mv oracledb12c.xml /lib/svc/manifest/site # svcadm restart manifest-import STATE STIME FMRI online 6:55:38 svc:/site/oracledb12c:default We can check to see if the Oracle Database is running: # svcs oracledb12c and a listing of the running processes confirms it.

6. Compliance with Oracle Solaris 11.2 We delivered the OpenSCAP security- reporting framework in Solaris 11.1. SCAP (Secure Content Automation Protocol) is an open standard for configuration management and reporting originally built for the US Dept of Defense and US National Institute of Standards and Technology. While development was seeded by the public sector, the SCAP ecosystem is rapidity being adopted by most major vendors as a standard way to represent system configuration and security controls. In Solaris 11.2 we wrap OpenSCAP in a convenient new command called compliance(1m). This new compliance command currently has 3 major options: 1) Guide Create a step by step guide that describes how to meet a compliance standard (sometimes called a benchmark) 2) Assess Assess the system against a series of security checks contained in a standard. The assess sub command outputs an XML file that can be imported into compliance management tools. 3) Report Convert the XML assessment into a human readable HTML file. This XML to HTML file is an XML translation and can be modified by your organization. Starting with Solaris 11.2 we deliver 3 important security/compliance standards 1) PCI- DSS Our mapping of PCI- DSS to system configuration and security controls. This reporting profile was co- created by Solaris engineering and a leading PCI- DSS QSA (auditor). There are around 200 controls in this standard. 2) 'Solaris Baseline This maps to our secure by default security profile, which is an out of the box security posture which should meet most customers risk profiles. A freshly installed system should pass this profile. 3) 'Solaris Recommended' - The recommended policy is close to the security posture of the CIS Security Benchmark which was developed by Oracle for CIS. This recommended benchmark can take longer to run, but either provides more stringent checks or addresses risks not in the baseline standards. Let s start by running a compliance report on our existing Oracle Database VM instance. We can generate an assessment for the Solaris Baseline: # compliance assess Assessment will be named 'solaris.baseline.2014-09-29,14:52' Package integrity is verified Test_1.1 fail The OS version is current Test_1.2 fail Package signature checking is globally activated Test_1.3 pass All local filesystems are ZFS Test_2.1 pass Address Space Layout Randomization (ASLR) is enabled Test_6.6

pass Check all default audit properties Test_7.1 pass Let s take a look at what the compliance command reports: # compliance list Benchmarks: pci-dss solaris Assessments: solaris.baseline.2014-09-29,14:52 Now we are are ready to generate a report on this assessment. # compliance report /var/share/compliance/assessments/solaris.baseline.2014-09-29,14:52/report.html Let s copy this compliance into the document root of Apache and view it through the web browser: # cp /var/share/compliance/assessments/solaris*/report.html /var/apache2/2.2/htdocs/ Now open up a web browser and navigate to http://10.158.56.x/report.html Now instead of the Solaris Baseline benchmark, we ll run it against the PCI- DSS benchmark:

# compliance assess -b pci-dss Assessment will be named 'pci-dss.solaris_pci-dss.2014-09-29,15:14' Once the initial report has been completed, we can also create a PCI- DSS compliance guide which is a document that describes Oracle Solaris security controls mapped to PCI- DSS security standards. This document is useful in determining how to configure an Oracle Solaris system or as an artifact for security auditors. # compliance guide b pci-dss /var/share/compliance/guides/pci-dss.html 7. Create an Oracle Database Unified Archive Unified Archives are a new feature added in Oracle Solaris 11.2 that provide system cloning and disaster recovery capabilities. They are the foundation of what is installed when deploying a new VM instance in OpenStack, and integrated into the Glance image management service. Let s start by capturing a Unified Archive of our existing instance. These can be # archiveadm create myinstance.uar Now that we have done this, we ll need to set some environmental variables so that we can upload this archive to Glance. # export OS_AUTH_URL=http://localhost:5000/v2.0/ # export OS_PASSWORD=glance # export OS_USERNAME=glance # export OS_TENANT_NAME=service Once we have setup these environmental variables, we can now import the Unified Archive into Glance. # glance image-create --container-format bare --disk-format raw --is-public true -- name "DB Zone" --property architecture=sparc64 --property hypervisor_type=solariszones --property vm_mode=solariszones < myinstance.uar +----------------------------+--------------------------------------+ Property Value +----------------------------+--------------------------------------+ Property 'architecture' sparc64 Property 'hypervisor_type' solariszones Property 'vm_mode' solariszones checksum 336bdfe5f76876fe24907e35479101e7 container_format bare created_at 2014-09-11T00:52:14.269232 deleted False deleted_at None disk_format raw id b42e47ee-d8dc-e50c-d6e0-9206d761ce41 is_public True min_disk 0 min_ram 0 name DB Zone owner f17341f0a2a24ec9ec5f9ca497e8c0cc protected False size 1277245440 status active updated_at 2014-09-11T00:52:42.352947 +----------------------------+--------------------------------------+

Having uploaded our new image to Glance, we can now go ahead and deploy it to newly created VM instances. Navigate to the Instances menu in Horizon again, and launch a new instance. Choose DB Zone as the Image instead of Base Zone as we did previously. 8. Securing our Virtual Environment Let s assume that we ve now run our compliance checks and that we ve got to an environment that has been approved by our auditors and we have captured it and uploaded to OpenStack. In Oracle Solaris 11 we added the ability to create read- only environments through Immutable Non- Global and Global Zones. This is a feature that provides a tamper proof environment and only allowed to be changed with security privileges. There are a number of different options in terms of read- only we can lock down everything, we can fix only the configuration of a particular system, or have a flexible configuration with some constraints. To create an Immutable Zone we need to create a new Flavor in Horizon. Log out of the dba user and log in as admin/secrete. From the OpenStack Dashboard (Horizon) navigate to the Admin- > Flavor page. We can either update an existing one of the Solaris flavours or create a new one. Lets do this by creating a new one called 'Immutable Solaris non global Zone'.

Make sure you set the 'Flavor Access' to include the projects you want to use this. Then from the 'More' menu on the entry in the table select 'View Extra Specs' This will bring up a window like this one, since we are creating a new entry from scratch we have to also setup the type of zone this will be.

Select Create and fill in the following to set a non- global zone: The do the same again and create a key/value pair for zonecfg:file-macprofile with the value being one of flexible-configuration, fixedconfiguration, or strict.

Now creating a new VM instance using this flavor we can look at the configuration of the non- global zone that has been created as follows: # zonecfg -z instance-0000000f info zonename: instance-0000000f zonepath: /system/zones/instance-0000000f brand: solaris autoboot: false autoshutdown: shutdown bootargs: file-mac-profile: fixed-configuration... Congratulations on making it this far and finishing the lab. If you have the time and interest to continue, try taking on the additional exercises below. Thanks again for joining us! 11. More Information Download Oracle Solaris 11 http://www.oracle.com/technetwork/server- storage/solaris11/downloads/ Download OpenStack Unified Archive http://www.oracle.com/technetwork/server- storage/solaris11/downloads/unified- archives- 2245488.html Oracle OpenStack on Oracle Solaris Technology Page http://www.oracle.com/technetwork/server- storage/solaris11/technologies/openstack- 2135773.html Getting Started with OpenStack on Oracle Solaris http://www.oracle.com/technetwork/articles/servers- storage- admin/getting- started- openstack- os11-2- 2195380.html