Lessons from Building OpenStack Public Cloud
description
Transcript of Lessons from Building OpenStack Public Cloud
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
OpenStack China Tour #2 Shenzhen
主办方:中国 OpenStack 用户组 & CSDNOrganizer: COSUG & CSDN
关注 COSUG 官方微博 @OpenStack
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
OpenStack 中国行(北京) 日程安排Before14:00 签到
14:00-14:40 基于 OpenStack建设公有云平台的开发实践 程 辉14:40-15:20 OpenStack在香港 骆文钟15:20-15:30 Break
15:30-16:10 OpenStack中的块设备存储服务 Cinder 朱荣泽16:10-16:40 Juju – make your life easier in the cloudOpenStack- 候正鹏16:40-16:50 Break
16:50-17:20 企业私有云基础设施最佳选择GeorgeWang
17:20-17:50 Swift架构与实践 杨雨
在这里写上你的标题
副标题文字副标题文字
作者名字 / 日期
标题文字标题文字副标题副标题副标题
作者 / 日期
Building OpenStack Public Cloud
For OpenStack China Tour Shenzhen
Hui [email protected] | freedomhui.com
CommunityManagerofCOSUGTechnicalManagerinSina.com
2012/9/21
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Content
OpenStack in Sina Integration Extension NewServices
Sina Contribution to OpenStack community
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03 OpenStack in Sina
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
First and most popular PaaS cloud in China, launched in 2009Support PHP, Python and Java runtime
About SinaCloud
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
First and most popular PaaS cloud in China, launched in 2009Support PHP, Python and Java runtime
OpenStack based public IaaS cloud
About SinaCloud
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
First and most popular PaaS cloud in China, launched in 2009Support PHP, Python and Java runtime
OpenStack based public IaaS cloud
SaaS cloud based on SAE tech.Design for the masses1-Click buy and install apps
About SinaCloud
(SinaCloudStore)
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03 OpenStack in Sina
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Sina Web Services(SWS)
To salute Amazon Web Services
It's an validated and successful cloud business model.
CustomersGame makers on Weibo platformSina PartnersCommon users out of Sina
VisionBuild an open and full-stack cloud ecosystem,
integrated IaaS, PaaS and SaaS platform.
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Cloud Bridge
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Deployment
nova-computenova-network
nova-api
nova-computenova-network
glance
Swift
dashboard
keystone
schedule
RabbitMySQL
Sina SSO
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Deploy Stack
Dell R510
Ubuntu 12.04
OpenStack
KVM
LocalVolume
LocalVolume
Security Policy
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Nova Network
NetworkingisthebiggestchallengesforIaaS
NetworkTopology:
• VLAN
• FlatDHCP
• FlatDHCP&Multihost
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Network Topology
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Network Topology (VLAN)
Drawback:• Pre-allocate network for future
projects• Hard-limit of vlan 4096• Traffic bottleneck in the gateway/NAT
Capability:• Accessibility of VMs within one tenant• Isolation of VMs from different
tenants• VM is able to access public network• VM can be accessible from public
network• Isolation between virtual network and
internal network
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Network Topology(Flat)
Capability:• Accessibility of all VMs in the fixed IP
range• VM is able to access public network• VM can be accessible from public
network• Full isolation between virtual network
and internal network
Bonus:• Do not need pre-allocate for new
projects• Eliminating bottleneck between
tenants
Drawback:• Tenant isolation has gone• Traffic bottleneck still exists in NAT
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Network Topology(Flat & Multihost)
Capability:• Accessibility of all VMs in the fixed IP
range• VM is able to access public network• VM can be accessible from public
network
Bonus:• Totally distributed architecture avoid
single-point failure.• Multiple gateway eliminates NAT
bottleneck• High speed between OS regions
Drawback:• Tenant isolation lessens• Need security facility(SWS-filter) to
protect intranetIf security problems were solved, this would be our best choice!
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Security in OpenStack
Static filters --- L2 Filter
MAC, IP, and ARP spoofing protection Notconfigurable Definedin/etc/libvirt/nwfilter/*.xmlImplemented by ebtables ebtables-tnat--list
Security Group --- L3 Filter
Role-based firewall OnesecuritygroupisaRoleIngress filtering Targetistheinstance SourcecanbeCIDRoranothergroupImplemented by iptables Seedetails:iptables-tfilter-n-L Whitelistmechanism(ACCEPTrules)
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Security Enhancement
SWS Filter
Prevent Intranet Penetration• Intranetistheinternalnetwork
outsideofOpenStackEgress filtering• Targetisinternalnetwork• SourceisinstancesinOpenStackImplementation• Whitelistmechanism(ACCEPTrules)• Onthetopofnova-filter-topForward
ChainRational• SWSfilterismanagedbycloudmanager• OnlyexplicitauthorizedpacketscanreachInternalnetworkC• PacketshouldbecontrolledwithinComputeNode
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Security Enhancement
Security Group VS SWS Filter
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Load Balancer
Goals
Load Balance • Dispatchrequest• Supportmultipleroutingalgorithm• Healthcheck
Acceleration• Reality:narrowbandwidthbetweenISPs• BuildingfiberchannelsfromISPstopivot• Giventhesameendpointwithinuser’sISP
IPv4 Shortage• Reality:dozensofpublicIPssupport
hundredsofVMs• IPv4hasbeenexhausted• IPv6isnotrealisticyetinChina
Unicom MobileTelecom
Router
SmartDNS
DNS Acceleration Design
High speed fiber-optic
Public Network
Others ISP
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
L7 Load Balancer
Layer 7 Load Balancer
Consideration:1.dispatchrequestbyHostheader2.nginxmodule
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
L4 Load Balancer
Layer 4 Load Balancer
Consideration:1.dispatchrequestbyTCP port2.lvs+haproxy
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Security Enhancement
SWS Filter
Prevent Intranet PenetrationIntranetistheinternalnetwork
outsideofOpenStack
Egress filtering• Targetisinternalnetwork• SourceisinstancesinOpenStack
Implementation Whitelistmechanism(ACCEPTrules) Onthetopofnova-filter-topForward
Chain
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS Security Enhancement
Security Group VS SWS Filter
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Object Storage – Swift Integration
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Storage Firewall
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS continuas integration
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Storage Firewall
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Sina Contribution - Essex
• Sina creating OpenStack community project Dough & Kanyun, to contribute metering & billing capability• Present in OpenStack Design Summit & Conference• Claim and submit dozens of blueprints in OpenStack Launchpad• Top 10 Companies by bugfixes
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Sina Contribution – Folsom
zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$./gitdm-l20-n</opt/stack/gitlog/all.logGrabbingchangesets...doneProcessed3081csetsfrom291developers154employersfoundAtotalof797390linesadded,412196removed(delta385194)
Rackspace
RedHat
NebulaSina
CanonicalIB
M
Cloudscaling
HPNicira
SolidFire
0
200
400
600
800
Changeset
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Sina Contribution – Folsom
zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$./gitdm-l20-n</opt/stack/gitlog/all.logGrabbingchangesets...doneProcessed3081csetsfrom291developers154employersfoundAtotalof797390linesadded,412196removed(delta385194)
RackspaceSina
HP
RedHat
IBM
NebulaIn
tel
SUSE
CanonicalNTT
0
10
20
30
40
Employers
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Sina Contribution - Stackers
• Nova——Jian Wen• Swift——Alex Yang• Quantum——Jiajun Liu• Cinder——Rongze Zhu
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
What's the kanyun
Monitoring tools Trackingthetenantresourceusage: CPU 、 mem 、 disk 、 networktraffic
Metering tools Datacollectionandstatistics
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Kanyun: Monitoring system
Aggregator
API daemon
Nova
Compute
Responds to client request
Calculates/stores metrics
Retrieve usage info
Dashboard
Billing
NoSQL
https://github.com/sinacloud/kanyun (updated at 8/9)
Worker
NovaCompute
Worker
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
What's the kanyun
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Dough:Billing system
Keep track of billing info to charge tenants Flexiblecustomizationofpaymentpolicies Howmuch/oftentochargeforresourceunit Handlesprepaidorpay-as-you-go CouponSupport
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Dough:Billing system
Farmer API daemon
KanyunAPI(Metering)
Subscribe orunsubscribeQuery info
Check status /Retrieve usage /
Create purchases
Dashboard
RDBMS
https://github.com/sinacloud/dough (updated at 8/9)
NoSQL
deduct
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
Dough:Billing system
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03Dashboard
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS v1
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS v2
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS V3
Open API & CLIBuild an cloud ecosystem
vMotionHigh AvailabilityFault Tolerance
EBSSelf-developed SolutionOpenSouce(Gluster/Ceph/Sheepdog)
Quantum IntegrationNicira-alike product research
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03
SWS V3
Multi-IDC SupportMulti Regions/ZonesBuild for failure
User ConsoleMore User friendly
Admin ConsoleBe able to manage resourses like usersPhysical server deployment & managementNetwork & Storage ManagementIdentity and Access Management
00
01
02
03
04
05
写上你的文字你的文字
目录
00
01
02
03Thank you, OpenStack Community and Foundation.