Weitere ähnliche Inhalte Ähnlich wie Opensource tools for OpenStack IAAS (20) Kürzlich hochgeladen (20) Opensource tools for OpenStack IAAS1. Open Source Tools for
IT Infrastructure
Management
Meenakshi Lakshmanan – Senior Manager and Leader Cloud
Systems Development CoE
Satya Routray – Senior Engineer, Cloud Systems Development CoE
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
2. • IT Infrastructure Model
• FCAPS and Applying FCAPS to
the Virtual World / IaaS
• Introduction to some
OpenSource Tools and Demo
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
3. • New IT Infrastructure Model
Virtualized Compute, Storage,
Network Model.
Mix of Bare Metal and VMs
Mix of physical and virtual Devices
Mix of Hypervisors and OS’s
Traditional Apps and Mobile Apps into
the traditional IT
In premise Apps and Mix of SaaS and
PaaS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
4. Cloud Client
SP Net / Internet
Cloud Services Layer
PaaS
IaaS
SaaS
Abstraction KVM Hyper V ESX
Virtualization Hypervisor Layer
Compute/VM Storage Network
Fault Management
Capacity Management
Accounting Management
Performance Management
Security Management
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
5. Finance
App
OS
Virtual
Machine
App
OS
Virtual
Machine
Mktg
App
OS
Virtual
Machine
Engineering
App
OS
Virtual
Machine
HR
App
OS
Virtual
Machine
App
OS
Virtual
Machine
Corp
App
OS
Virtual
Machine
F Cloud Infrastructure Cloud Service
Infrastructure Service
C
A
P
S
Physical
Server
Storage
Physical
Server
Physical
Server
Storage
Physical
Server
DB Service
Queue
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
6. • FCAPS was introduced within the first Working Drafts
(N1719) of ISO 10040, the Open Systems Interconnection
(OSI) Systems Management Overview (SMO) standard.
• FCAPS is an acronym for fault, configuration, accounting,
performance, security, the management categories into which
the ISO model defines the tasks
• Can we apply FCAPS to the new IT infrastructure model
and review the opensource tools around.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
7. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
8. • Fault management is a set of functions that detects, isolates and
corrects the malfunction.
• Mainly of 2 types
Active
Active fault management actively monitor devices via tools such as ping to determine if
the device is active and responding. If the device stops responding, active monitoring
will throw an alarm showing the device as unavailable and allows for the proactive
correction of the problem
Passive
Passive fault management is done by collecting alarms from devices when something
happens in the devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
9. • Nagios
• Telemetry
• OpenNMS
• NMIS
• Vendor Specific
CiscoWorks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
10. • Pros:
Open Source
Polls actual services for response. (HTTP, SMTP, etc.)
Flexible Add-ons for specialized testing
Good Trending data and Uptime Statistics
• Cons:
Configuration is done via text files.
Linux only
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
11. • Monitoring OpenStack can be placed widely into two buckets.
Monitor OpenStack infrastructure
performed using Nagios. Monitoring aspects such as CPU, RAM, Disk Space,
Network, installed OpenStack processes (e.g. nova-conductor, nova-scheduler, swift-proxy
etc. )
Monitor OpenStack services grouped by tenants/projects
performed using Telemetry API.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
12. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
13. • Efficiently collects the metering data about the CPU and network
usages.
• Collects data by monitoring notifications sent from services or by polling
the infrastructure.
• Configures the type of collected data to meet various operating
requirements. Accessing and inserting the metering data through the
REST API.
• Expands the framework to collect custom usage data by additional plug-ins.
• Produces signed metering messages that cannot be repudiated.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
14. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
15. • Establish and maintain consistency of deployments across systems by
controlling changes
• Keys:
Gather
Collect configuration on scheduled basis
Store
Storing the configurations
Track
Monitor and report the changes
Automate
Make changes across systems with limited user inputs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
16. • Puppet
• Juju
• Ironic, etc.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
17. • Puppet Labs and OpenStack community members Cisco, Red Hat,
Rackspace, and others have together designed and developed Puppet
modules for OpenStack. There are several benefits of this collaboration:
Encapsulation of Best Practices. The community members all have
significant IT experience, and the Puppet OpenStack configuration modules
represent OpenStack deployment ‘best practices’ developed since the
beginning of the project.
Cross-Platform Support. The Puppet configuration modules for OpenStack
enable deployment of OpenStack public or private clouds across a wide range
of operating systems, databases, and hypervisors. You are not limited to a
single vendor’s platform or technology.
Active Community. All community members have a vested interest in the
Puppet OpenStack configuration modules and are actively contributing to the
technology’s evolution and support. You are not reliant on any individual
member’s ability to support or provide technical direction.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
18. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
19. • Cisco Webex uses Puppet+openstack
• Cisco Webex uses puppet to deploy openstack nodes and configuration
changes across the nodes
• OpenStack technologies Cisco WebEx uses:
Openstack Compute (Nova)
Openstack Block Storage (Cinder)
Openstack Network(Neutron)
Openstack Dashboard (Horizon)
Openstack Identity Service (Keystone)
Openstack Image Service (Glance)
For More Details :http://www.openstack.org/user-stories/cisco-webex/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
20. • When eNovance decided to build their own Public Cloud to provide
Hybrid solutions to their clients, it turned to OpenStack.
• Deployment tool used puppet
• OpenStack technologies eNovance uses:
Openstack Compute (Nova)
Openstack Block Storage (Cinder)
Openstack Network(Neutron)
Openstack Dashboard (Horizon)
Openstack Identity Service (Keystone)
Openstack Image Service (Glance)
For more details: http://www.openstack.org/user-stories/enovance/
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
21. The goal of account management is to gather usage statistics for
users.
Accounting management is concerned with tracking
network utilization information, such that individual users,
departments, or business units can be appropriately billed
or charged for accounting purposes.
For non-billed networks, "administration" replaces "accounting".
The goals of administration are to administer the set of
authorized users by establishing users, passwords, and
permissions, and to administer the operations of the equipment
such as by performing software backup and synchronization.
Accounting is often referred to as billing management.
Using the statistics, the users can be billed and usage
quotas can be enforced. These can be disk usage, link
utilization, CPU time, etc.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
22. LDAP , OpenLDAP : The Lightweight Directory Access
Protocol (LDAP; /ˈɛldæp/) is an open, vendor-neutral, industry
standard application protocol for accessing and maintaining distributed
directory information services over an Internet Protocol (IP)
network.[1] Directory services play an important role in
developing intranet and Internet applications by allowing the sharing of
information about users, systems, networks, services, and applications
throughout the network
Keystone : Typically used in an Openstack Environment, but can be
used as a standalone auth as a service. Generates tokens with
reference to each service providing access related info to the service.
It can use a key/value pair, LDAP, Kerberos, etc as a backend
Kerberos : Kerberos is a computer network authentication protocol which
works on the basis of 'tickets' to allow nodes communicating over a non-secure
network to prove their identity to one another in a secure manner.
Telemetry (Cielometer ) : Metering project in Openstack that lets you
know the utilisation of different resources in measurable units. Billing
can be based upon the same.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
23. Performance management is focused on ensuring that the
systems’ performance remains at acceptable levels. It enables
the manager to prepare the system for the future, as well as to
determine the efficiency of the current network
In Openstack – Perfomance management is embedded in
different components.
You can collect and track perfomance of various parameters
related to Openstack Cloud Via Telemetry/Cielometer.
Telemetry (Cielometer ) : Metering project in Openstack that
lets you know the utilisation of different resources
in measurable units. Billing can be based upon the same.
Many 3rd party tools for VmWare and Hyper-V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
24. The goal is to control the access to assets in the network
What is to be secured?
1. Data
2. Software
3. Physical devices etc.,
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
25. Components to be monitored
1. Authentication, security policies and roles
2. Firewalls and security groups
3. Antivirus and protection against malware
4. Physical security of devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
26. Authentication and Security policies
1. Token based authentication – Keystone
2. Authentication as a Service – SafeNet
3. Role based authorization and user access control – Tenants in
cloud
4. Openstack policy.json
5. AWS Security Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
27. Firewalls and security groups
1. Cisco ASA
2. Iptables/Sec groups of Openstack
3. Windows Firewall
4. SELinux
5. Openstack Security groups and rules
6. FWaaS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
28. Antivirus and protection against malware
1. Symantec Antivirus
2. Spybot search and destroy
3. McAfee antivirus
4. Vmware vShield Endpoint
5. Ciphercloud
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
29. Physical security of devices
1. Secure devices with access to datacenter provided only to
selected people
2. Monitor the temperature and employ automated temperature
control system
3. Ensure emergency aid such as fire extinguishers and are easily
available
4. Implement a reliable alarm system
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Hinweis der Redaktion Assuming the compute resources are realized as Xen VM
The Realization layer Resource Management system allocates resources (if available) for 5 Gold VM and launches the VM by calling Xen VM management interfaces (xm create, in this case) passing it configuration parameters.
Once provisioned, the allocated IP addresses and other information are returned to the client (not shown here).
Depending on capabilities supported in the Cloud services interfaces, the provisioning process can be more involved (for example, if it is a whole OVF package). But as mentioned before, functions (such as provisioning) of the infrastructure layer is not subject of this presentation., only the Cloud Services Layer and north-bound interfaces from it. In the cloud computing model things are different. In this case, the services organization provides a cloud infrastructure service, on top of which applications are deployed fully configured with their own operating system and configuration. We have de-coupled the complexity of applications from the underlying infrastructure. The application layer and the infrastructure layer are managed independently.