Lessons from Building OpenStack Public Cloud

目录 OpenStack China Tour #2 Shenzhen

00
00 写上你的文字你的文字
01
01
02
02
03
03

04

主办方：中国OpenStack用户组 & CSDN
05
Organizer: COSUG & CSDN

关注COSUG官方微博@OpenStack

目录

OpenStack中国行（北京）日程安排
00 签到
00
Before 14:00
写上你的文字你的文字
14:00 - 14:40 基于OpenStack建设公有云平台的开发实践程辉
01 骆文钟
01
14:40 - 15:20 OpenStack在香港
15:20 - 15:30 Break
02 朱荣泽
02
15:30 - 16:10 OpenStack中的块设备存储服务Cinder
16:10 - 16:40 Juju – make your life easier in the cloudOpenStack- 候正鹏
03
03
16:40 - 16:50 Break
George
04
16:50 - 17:20 企业私有云基础设施最佳选择 Wang
17:20 - 17:50 Swift架构与实践杨雨
05

标题文字标题文字
在这里写上你的标题
Building OpenStack Public Cloud
副标题副标题副标题
For副标题文字副标题文字Shenzhen
OpenStack China Tour

Hui Cheng
freedomhui@gmail.com | freedomhui.com
Community Manager of COSUG
Technical Manager in Sina.com 作者/日期
作者名字/日期
2012/9/21

目录
Content

00

01
OpenStack in Sina
 01
Integration
02
Extension
 02

03  New Services
03

04
 Sina Contribution to OpenStack community
05

目录

00
01
01
02
02
03 OpenStack in Sina
03

04

05

About SinaCloud
目录

00 First and most popular PaaS cloud in
00 写上你的文字你的文字 China, launched in 2009
01 Support PHP, Python and Java
01 runtime
02
02
03
03

04

05

目录

00
01
01
02
02
03
03

04

05

About SinaCloud
目录

01 runtime
02
02
03
03
OpenStack based public IaaS
cloud
04

05

About SinaCloud
目录

01 runtime
02
02
03
03
OpenStack based public IaaS
cloud
04

05

SaaS cloud based on SAE tech.
Design for the masses
1-Click buy and install apps
(SinaCloud Store)

Sina Web Services(SWS)
目录

00
To salute Amazon Web Services
01
It's an validated and successful cloud business
01
model. 02
02

Customers
03
03
Game makers on Weibo platform
04
Sina Partners
Common users out of Sina
05

Vision
Build an open and full-stack cloud ecosystem,
integrated IaaS, PaaS and SaaS platform.

Cloud Bridge
目录

00
01
01
02
02
03
03

04

05

SWS Deployment
目录

00 Rabbit
00 写上你的文字你的文字 MySQL
01dashboard
01
02 schedule
02 nova-api
03
03
nova-compute nova-compute
04 keystone
nova-network nova-network

05
glance
Sina SSO
Swift

SWS Deploy Stack
目录

00 Dell R510
01
01
Ubuntu 12.04
02
02 OpenStack
03
03 Security
KVM
Policy
04

05

Local Local
Volume Volume

Nova Network
目录

00
00
Networking写上你的文字你的文字 challenges for IaaS
is the biggest
01
01
Network Topology:
02
02
• VLAN
03
03
• FlatDHCP
04
• FlatDHCP & Multihost
05

SWS Network Topology
目录

00
01
01
02
02
03
03

04

05

目录
Network Topology (VLAN)
Capability:
00
• Accessibility of VMs within one tenant
• Isolation of VMs from different
01
tenants 01
• VM is able to access public network
02
02
• VM can be accessible from public
network
03
• Isolation 03
between virtual network and
internal network
04

Drawback: 05
• Pre-allocate network for future
projects
• Hard-limit of vlan 4096
• Traffic bottleneck in the gateway/NAT

Network Topology(Flat)
目录

00
Capability:
• Accessibility of all VMs in the fixed IP
range
01
01
02
network 02
• Full isolation between virtual network
03
03
and internal network

Bonus: 04
• Do not need pre-allocate for new
projects 05
• Eliminating bottleneck between
tenants

Drawback:
• Tenant isolation has gone
• Traffic bottleneck still exists in NAT

目录
Network Topology(Flat & Multihost)
00
Capability:
• Accessibility of all VMs in the fixed IP
range
01
01
02
network 02
03
Bonus: 03
• Totally distributed architecture avoid
04
single-point failure.
• Multiple gateway eliminates NAT
bottleneck05
• High speed between OS regions

Drawback:
• Tenant isolation lessens
• Need security facility(SWS-filter) to
protect intranet
If security problems were solved, this would be our best choice!

目录
Security in OpenStack
Security Group --- L3 Filter
00 Static filters --- L2 Filter
Role-based firewall
01 MAC, IP, and ARP spoofing protectio

01
One security group is a Role  Not configurable
Ingress filtering
02  Defined in /etc/libvirt/nwfilter/*.xml
 Target is 02 instance
the Implemented by ebtables
 Source can be CIDR or another group
03  ebtables -t nat --list
03
Implemented by iptables
 See details: iptables -t filter -n -L
 Whitelist 04
mechanism(ACCEPT rules)

05

目录
Security Enhancement
00
SWS Filter
01
01
Prevent Intranet Penetration
• Intranet is the internal network
02
outside 02OpenStack
of
Egress filtering
03
•
03
Target is internal network
• Source is instances in OpenStack
04
Implementation
• Whitelist mechanism(ACCEPT rules)
•
05
On the top of nova-filter-top Forward
Chain
Rational
• SWS filter is managed by cloud manager
• Only explicit authorized packets can reach Internal network C
• Packet should be controlled within Compute Node

目录
Security Enhancement
00
Security Group写上你的文字你的文字
VS SWS Filter
00
01
01
02
02
03
03

04

05

SWS Load Balancer
目录

Goals
00
Load Balance
01
01
•Dispatch request
•Support multiple routing algorithm DNS Acceleration Design
02
02
•Health check
03 Smart DNS
Acceleration 03
•Reality: narrow bandwidth between ISPs
04
•Building fiber channels from ISPs to pivot
Public Network
•Given the same endpoint within user’s ISP
05
IPv4 Shortage Telecom Unicom Mobile Others ISP
•Reality: dozens of public IPs support
hundreds of VMs High speed fiber-optic
•IPv4 has been exhausted
•IPv6 is not realistic yet in China
Router

目录
L7 Load Balancer
00
Layer 7 Load Balancer
01
Consideration:
01
1. dispatch request by Host header
02
2. nginx module
02
03
03

04

05

目录
L4 Load Balancer
00
Layer 4 Load Balancer
01
Consideration:
01
1. dispatch request by TCP port
02
2. lvs + haproxy
02
03
03

04

05

ssh –p 2000 root@socket.abc.com

SWS Security Enhancement
目录

SWS00
Filter
Prevent Intranet Penetration
01
01
Intranet is the internal network
02
outside of OpenStack
02
03
03
Egress filtering
• Target is internal network
• 04
Source is instances in OpenStack
05
Implementation
 Whitelist mechanism(ACCEPT rules)
 On the top of nova-filter-top Forward
Chain

SWS Security Enhancement
目录

00
Security Group VS SWS Filter
01
01
02
02
03
03

04

05

Object Storage – Swift Integration
目录

00
01
01
02
02
03
03

04

05

Storage Firewall
目录

00
01
01
02
02
03
03

04

05

SWS continuas integration
目录

00
01
01
02
02
03
03

04

05

Sina Contribution - Essex
目录

• Sina creating OpenStack community project Dough & Kanyun,
00
to contribute metering & billing capability
• Present01 OpenStack Design Summit & Conference
01 in
• Claim and submit dozens of blueprints in OpenStack Launchpad
02
• Top 10 02
Companies by bugfixes
03
03

04

05

Sina Contribution – Folsom
目录

zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$ ./gitdm -l 20 -n < /opt/stack/gitlog/all.log
00
Grabbing changesets...done
Processed 3081 csets from 291 developers
01
01
154 employers found
A total of 797390 lines added, 412196 removed (delta 385194)
02
02 Changeset
03 900
03
800
700
04
600
500
05
400
300
200
100
0

Sina Contribution – Folsom
目录

zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$ ./gitdm -l 20 -n < /opt/stack/gitlog/all.log
00
Grabbing changesets...done
Processed 3081 csets from 291 developers
01
01
154 employers found
A total of 797390 lines added, 412196 removed (delta 385194)
02
02 Employers
03 45
03
40
35
04
30
25
05
20
15
10
5
0

Sina Contribution - Stackers
目录

• Nova——Jian Wen
00
• 00 写上你的文字你的文字
Swift——Alex Yang
• 01
Quantum——Jiajun Liu
01
• Cinder——Rongze Zhu
02
02
03
03

04

05

What's the kanyun
目录

00
Monitoring tools

01
01
 Tracking the tenant resource usage:
02
02
 CPU、mem、disk、network traffic

03
03
Metering tools

04
 Data collection and statistics

05

Kanyun: Monitoring system
目录

00 Worker
Nova 00 写上你的文字你的文字 Dashboard
01Nova
Compute01
Compute
02
02
API daemon
Worker
03
03 Retrieve
usage Responds to client
04 info request

05
Billing
Aggregator

NoSQL
Calculates/stores https://github.com/sinacloud/kanyun (updated at 8/9)
metrics

What's the kanyun
目录

00
01
01
02
02
03
03

04

05

Dough:Billing system
目录

00
 Keep track of billing info to charge tenants
01
01
 Flexible customization of payment policies
02
02
 How much/often to charge for resource unit
03
03
 Handles prepaid or pay-as-you-go
 04
Coupon Support
05

目录
deduct
00
01 RDBMS
01
Kanyun API Dashboard
02
(Metering)
02
03
03

04

05 Farmer API daemon
NoSQL
Check status / Subscribe or
Retrieve usage / unsubscribe
Create purchases Query info
https://github.com/sinacloud/dough (updated at 8/9)

目录

00
01
01
02
02
03
03

04

05

目录

00
01
01

Dashboard
02
02
03
03

04

05

SWS v1
目录

00
01
01
02
02
03
03

04

05

SWS v2
目录

00
01
01
02
02
03
03

04

05

SWS V3
目录

Open API & CLI
00
01
Build
01 an cloud ecosystem
vMotion
02
02
03 High Availability
03
Fault Tolerance
04
EBS
05
Self-developed Solution
OpenSouce(Gluster/Ceph/Sheepdog)
Quantum Integration
Nicira-alike product research

SWS V3
目录

Multi-IDC Support
00
01 Multi
01 Regions/Zones
02 Build for failure
02
User Console
03
03
More User friendly
Admin Console
04

Be
05 able to manage resourses like users
Physical server deployment & management
Network & Storage Management
Identity and Access Management

目录

00
01
01

Thank you, OpenStack Community and
02
02

Foundation.
03
03

04

05

目录

00
01
01 Q&A
02
02
03
03

04

05 Weibo: @程辉
freedomhui@gmail.com

Lessons from Building OpenStack Public Cloud

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (9)

Ähnlich wie Lessons from Building OpenStack Public Cloud

Ähnlich wie Lessons from Building OpenStack Public Cloud (20)

Mehr von Hui Cheng

Mehr von Hui Cheng (19)

Lessons from Building OpenStack Public Cloud