Architecture des plates-formes IaaS Etat des lieux et perspectives Frédéric Dang Tran Orange Labs Joint CompatibleOne and OSCi workshop, 7 June 2011 1
Outline > Scope and objectives > User-facing API and resource model > Compute management > Network management > Storage Management > IaaS middleware architecture > Conclusion Joint CompatibleOne and OSCi workshop, 7 June 2011 2
Scope and objectives (1/3) > Infrastructure-as-a-Service Platforms - Automated provisioning of compute resource (virtual servers) along with their network and storage resources > Evaluation of existing IaaS offers - Identification of relevant technical criteria/requirements - Technical architecture - Use case adequation, telco context hosting of multi-tier applications Public or private cloud Foundation of PaaS Internet FW Load Balancer Proxy Proxy FW Load Balancer Web app Web app DB FW Intranet IT Public zone Private zone Joint CompatibleOne and OSCi workshop, 7 June 2011 3
Scope and objectives (2/3): IaaS Cloud OS components IS UI Programmatic Access Billing User portal Admin portal User API Admin API Authentification Orchestration CMDB Resource Provisioning & Management Compute Storage Network Metering Reporting VM scheduler VM Image Volume Virtual Infrastructure vfirewall VNet vrouter Capacity Planning Hypervisor vlb vswitch Physical Infrastructure server SAN switch firewall NAS router Joint CompatibleOne and OSCi workshop, 7 June 2011 4
Scope and objectives (3/3): IaaS platform landscape OpenStack Nova OpenNebula CloudStack Nimbula VMware vcloud Director Eucalyptus AbiCloud Convirt VMware vcenter libvirt Citrix XenServer XCP Open vswitch Cisco Nexus 1000V VMware DSwitch VMware vshield Xen KVM VMware ESX full open-source commercial open-core Joint CompatibleOne and OSCi workshop, 7 June 2011 5
Outline > Scope and objectives > User-facing API and resource model > Compute management > Network management > Storage Management > IaaS middleware architecture > Conclusion Joint CompatibleOne and OSCi workshop, 7 June 2011 6
IaaS programmatic access > OpenNebula: - Multi-API support - Native OCA API but focuss on command-line tool - Minimal implementation of EC2 API Missing features: EBS, security groups - OCCI API > OpenStack Nova: - Key objective: compatibility with Amazon EC2 APIs (EC2, EBS, S3) - OpenStack API in progress (inherited from RackSpace CloudServers API) > vcloud Director - vcloud API 1.0 (submitted to DMTF in 2010) - User & Admin API - Extra APIs with optional products (e.g. vcenter Chargeback API for metering/billing) Joint CompatibleOne and OSCi workshop, 7 June 2011 7
Amazon EC2 resource model Instance Template (AMI) Region EBS Volume Security Group Availability Zone Availability Zone Fixed network model: -one VNIC per VM -one private @IP and one public @IP per VM Joint CompatibleOne and OSCi workshop, 7 June 2011 8
OCCI API: resource model > Proposed by Open Grid Forum OCCI-WG > First draft released on January 10, 2010 > OCCI Core and Infrastructure documents released on April 7, 2011 Joint CompatibleOne and OSCi workshop, 7 June 2011 9
IaaS API: vcloud resource model Download OVF package Upload vapp template Capture Instantiate vapp Undeploy Deploy vapp on Vms PowerOn Media Image Upload Joint CompatibleOne and OSCi workshop, 7 June 2011 10
Outline > Scope and objectives > User-facing API and resource model > Compute management > Network management > Storage Management > IaaS middleware architecture > Conclusion Joint CompatibleOne and OSCi workshop, 7 June 2011 11
Compute resource management > User requirements: - Provisioning of individual VM - VM Scheduling: Where? Zone, Cluster, Host, external cloud provider? When? On-demand immediate allocation Advanced reservation - Provisioning of group of VMs managed as a unit - Scheduling of group of VM with user-provided constraints (anti)-affinity between VM Proximity VM storage Common network properties (e.g. firewall rules, L2 network segment) > Technology requirements - Multi-hypervisor support Open-source hypervisors: Xen, KVM Commercial hypervisors: VMWare ESX, XenServer Joint CompatibleOne and OSCi workshop, 7 June 2011 12
VM placement DC 1 Zone A Region X DC 2 Zone B External Cloud Provider VM Host Y VM Zone C Joint CompatibleOne and OSCi workshop, 7 June 2011 13
Compute resource management > OpenNebula - Built-in scheduler with several policies (packing, striping, load-aware) - Haizea scheduler: VM lease model Best-effort lease Advanced reservation lease Immediate lease - Connectors to external cloud providers An external cloud provider integrated as a host of infinite capacity > OpenStack Nova (Diablo release in progress) - Distributed scheduler with multi-zone support > vcloud Director - Mono DC, cloud spanning multiple locations not supported - DRS optimizes placement of VMs within clusters Joint CompatibleOne and OSCi workshop, 7 June 2011 14
Network management > Functional requirements - network isolation and security between tenants - Support for various network topologies for a tenant application E.g. multi-tier applications - Compatibility with «legacy» applications Use of broadcast or multicast traffic > Technology requirements - Support for multiple technologies: Level 2 network design (e.g. VLAN, ebtables) Level 3 network design L2 over L3 (e.g. VDE, L2 tunnelling etc.) - Possible integration of third-party network equipment (physical) firewalls, load balancers (virtual) (distributed) switch, router > Architecture requirements - Pluggable network implementation in the IaaS stack - Clean separation between compute and network management Joint CompatibleOne and OSCi workshop, 7 June 2011 15
Network management: OpenStack Nova > Three network modes - Flat mode - Flat DHCP mode - VLAN mode (default) > Complete support for EC2 Network Model - Security Groups - Single NIC per VM with private and public @IP - Floating IP à la Amazon Elastic IPs Joint CompatibleOne and OSCi workshop, 7 June 2011 16
OpenStack Nova VLAN mode Kernel Isolation inside hosts Hardware Isolation inside network appliances Security groups VLANs Ethernet Joint CompatibleOne and OSCi workshop, 7 June 2011 17
OpenStack Nova: new network designs (Diablo) > Quantum project (Nicira) - Decoupled standalone network service with clean internal API Provides network connectivity between network interfaces Hides how a network is implemented (e.g. VLANs) - Plug-in architecture to integrate various network technologies > Donabe Project (Cisco) - Notion of Network Container, logical grouping of network resources managed as a unit Joint CompatibleOne and OSCi workshop, 7 June 2011 18
OpenNebula network model > Notion of Virtual Network (vnet) - Implemented at level 2 through ebtables > Multi VNICs per VM > No VLAN support > No EC2 security group support > But any network isolation design can be implemented using hooks (scripts) Joint CompatibleOne and OSCi workshop, 7 June 2011 19
vcloud network model Organization vapp vapp vapp VM VM VM VM VM VM vappnetwork vappnetwork Org Network Red Edge External Network A Edge Logical network within a tenant organization 3 types: direct connect/ NAT routed / internal 3 fence modes: -isolated -NAT -direct connection Edge Org Network Blue External Network B Network Pool (L2 net segments) Provisioned outside vcd Provides outside VLAN connectivity Mac-in-Mac encapsulation Joint CompatibleOne and OSCi workshop, 7 June 2011 20
Storage management > Functional requirements - Support for ephemeral and persistent storage - Persistent volumes as first-class entities Can be attached/detached from VMs - Thin provisioning, copy-on-write - Snapshot support - Access to external image repositories (e.g. blob-based cloud storage services) to store VM images, snapshots > Technology requirements - NAS, SAN, NFS, iscsi, clustered file systems - LVM, iscsi Joint CompatibleOne and OSCi workshop, 7 June 2011 21
Storage Management > OpenNebula - Arbitrary storage backends can be implemented - No support for persistent volumes (à la EBS) as is > OpenStack Nova - Glance project: provides services for discovering, registering, and retrieving virtual machine images. - Glance can access OpenStack Swift storage service > vcloud Director - Relies on VMWare vsphere/vcenter - No persistent volume abstraction - Proprietary VMFS clustered file-system - Thin-provisioning and snapshot support Joint CompatibleOne and OSCi workshop, 7 June 2011 22
Outline > Scope and objectives > User-facing API and resource model > Compute management > Network management > Storage Management > IaaS middleware architecture > Conclusion Joint CompatibleOne and OSCi workshop, 7 June 2011 23
OpenStack Nova Technical Architecture Joint CompatibleOne and OSCi workshop, 7 June 2011 24
OpenNebula architecture Joint CompatibleOne and OSCi workshop, 7 June 2011 25
vcloud Director architecture Joint CompatibleOne and OSCi workshop, 7 June 2011 26
Outline > Scope and objectives > User-facing API and resource model > Compute management > Network management > Storage Management > IaaS middleware architecture > Conclusion Joint CompatibleOne and OSCi workshop, 7 June 2011 27
Conclusion (1/2) > OpenNebula toolkit: - Being a flexible toolkit any design is nearly possible at the cost of specific development, test, and integration. - Low-level toolkit extensible through shell scripts (hooks) - Inherent scalability limits > OpenStack Nova - Closer to an IaaS framework - Decoupled architecture with seperate network, compute and storage managers - Potential scalability (yet to be proven) > vcloud Director - Rich multi-tenant resource model and API - Inherent scalability limits Joint CompatibleOne and OSCi workshop, 7 June 2011 28
Conclusion (2/2) > Wanted: - Componentized IaaS middleware framework - A la carte IaaS stack construction depending on specific requirements (e.g. public vs private cloud ) - Technology agnostic: Type of hypervisor Network devices - Multi-cloud support: Ability to access external (public or private) cloud providers - Resource model EC2 model too limited High-level abstractions for grouping and managing per-tenant resources: containers, virtualdc Logical grouping of VMs at IaaS level Joint CompatibleOne and OSCi workshop, 7 June 2011 29