Ocata, Integrations and NFV Sergey Goncharov Solution Architect, Red Hat sgonchar@redhat.com 11
Red Hat OpenStack Platform Ocata
Core Components in version 11 (Ocata) DATA PROCESSING TELEMETRY SHARED FILESYSTEM ORCHESTRATION SHARED SERVICES DEPLOYMENT and MANAGEMENT IDENTITY DIRECTOR IaaS+ CEILOMETER SAHARA STORAGE COMPUTE NETWORKING BLOCK IMAGE OBJECT GLANCE SWIFT KEYSTONE HEAT MANILA BARE-METAL PROVISIONING DASHBOARD IaaS NOVA CINDER NEUTRON IRONIC HORIZON Certified Red Hat OpenStack Platform plugins: https://access.redhat.com/articles/1535373 3 Red Hat OpenStack Platform TRIPLEO
Compute (Nova) Self-service VMs: Boot an instance of a selected of flavor (vcpu, RAM, No need to manage hypervisors individuall, due to distributed design of OpenStack, at any scale. Reboot, stop, resize, terminate Defines which choices are available to tenants: flavors offering specific capabilities and carefully planned capacity and overcommit ratios. Similar to Amazon EC2 See the console log of his instance, open VNC/RDP session, change VM root password (if OS supports) Reserve, assign and release floating Ips Manage keypairs and security-groups Check quota usage Select which Neutron network or port Other Neutron/Cinder shortcuts for network and volume management 4 Red Hat OpenStack Platform Supports KVM and VMWare (vcenter) Easier maintenance and operations with support for node evacuation, mark host down and instance live-migration. Define host-aggregates and AZs with specific meta-data to allow advanced scheduling and request filtering. Set NFV specific flavors including vcpu pinning, large pages, vcpu, RAM, and I/O device NUMA awareness, SR-IOV/PCI Passthrough Instance HA, transparent to tenants, if enabled Operator view Tenant view disk size), OS image (from Glance), SSH keypair, host-aggregate or availability zone (AZ), custom metadata, user-data, security-groups, with/without ephemeral disk.
Networking (Neutron) Similar to Amazon VPC, ELB Create, Remove, Update, Delete (CRUD) networks, subnets and ports, for basic L2 and L3 with IP Address Management (DHCP) Tenant view Additionally: Provider networks Quotas Security Groups (per port) East/West L3 routing with tenant-defined routers External gateway, NAT, floating IPs Load balancing, VPN and Firewall Multiple simultaneous L2 technologies on a single installation via ML2 Default Open vswitch, or choose from dozens of commercial SDN vendors Configures SSL/TLS backend for LBaaS Define floating IP ranges, normally for publicly routable IPv4 addresses Offer/ delegate IPv6 tenant networks (SLAAC, DHCP) Define and enforce QoS (currently only egress flows) VXLAN offloading to HW available (up to 4x throughput) IPv6 tenant network management Distributed Virtual Routing (DVR) for better scalability QoS (rate limit policies) per port, per network L2Pop and Responder to mitigate ARP flooding at scale RBAC for granular sharing of tenant networks 5 Red Hat OpenStack Platform Operator view Define a tenant network (overlay) Defines provider networks, manually set-up in Neutron by the operator, representing a pre-existing network (i.e. VLAN). Useful to point to corporate DNS or Gateways with multiple routes
Similar to Amazon EBS Uses Red Hat Ceph storage as default CRUD additional hard drives to an instance, as Block volumes: require tenant VMs to format with a filesystem. Multiple backends (LVM, iscsi, NFS, ScaleIO, etc) including proprietary ones with more specific features Persistent storage, can be cloned, snapshotted, replicated or imported/exported to another AZ (also public storage like Google Cloud Storage *) Faster provisioning via over-subscription, thinprovisioning and generic image cache Encryption available via LUKS (if enabled by ops) ISCSI multi-path support for extra reliability Hot-unplug from one instance and re-attach to another instance Private volume types for premium levels of service (SSD, thick_provisioned) Non-disruptive and Incremental snapshot: ideal for backup/restore and DR use-cases Simplified operations, DR and backup with Generic Volume Migration & replication (sync/async, with N number of replicas) between different storage backends QoS available (total IOPS) If exposed, vendor-specific features (mirroring, compression, replication, thin provisioning) 6 Red Hat OpenStack Platform Storage Policies for simpler management *Tech Preview features are subject to change in GA release Operator view Tenant view Block Storage (Cinder)
Similar to Amazon S3 (a modern version of FTP, WebDAV) Very few dependencies with other OpenStack modules, mostly Keystone for RBAC CRUD objects in containers, per account Scales horizontally up to petabytes Ideal to store static objects (media, web files, email) Replication for global clusters Only useful if the application understands the Swift/S3 API Also useful to store Glance image backups Not meant to be used as POSIX filesystem Fast-POST allows fast-efficient updates of metadata without re-upload of the content. 7 Red Hat OpenStack Platform Advanced Swift features: middleware for API processing, temporary URLs, URL rewrite Swift requires his own storage space, not integrated with Ceph Reduced availability for further storage efficiency with Erasure Coding Operator view Tenant view Object Storage (Swift)
VM Image Storage (Glance) Similar to Amazon AMIs CRUD images (VM templates, a bootable OS) and snapshots (VM backup) Upload from file or from URL Metadata can host any key-value pair, useful to document OS version, date... Multiple disk-formats (QCOW2, RAW, ISO, VDI, VMDK) and container-format (bare, OVF, AMI, ARI) Checksum and signature verification for extra security Support for large uploads with Keystone Trusts 8 Red Hat OpenStack Platform Store images using Cinder as backend. If not using Ceph, Director configures Swift as a Glance image store. If using Ceph, Glance will leverage advanced RBD features (cache, thin-provisioning, immediate snapshot) Automatic Nova/Libvirt/KVM optimization depending on guest OS via os_name attribute Operator view Tenant view Private or public images Best-practice: offer golden images to tenants via public glance images.
Identity and Access Control (Keystone) Similar to Amazon IAM CRUD user, tenants (project), roles (as long as Operator allows it) Change password, also download credentials file (RC) with EC2 keys Discover OpenStack endpoints via catalog Kerberos for SSO in both Web (Horizon) and in CLI on client systems with SSSD Federated Identity: same user/password across multiple OpenStack providers, fully documented. 9 Red Hat OpenStack Platform SAML Federation for authentication with external providers (pre-existing) or other clouds, via Red Hat SSO Multiple identity backends: LDAP, ActiveDirectory, FreeIPA, PAM, etc Preferred authorization backend is MariaDB Lightweight tokens (Fernet) for better performance and scalability Logs in standard CADF auditable format Public endpoint protection with SSL/TLS Operator view Tenant view Authenticates and gives Authorization to users. Provides them session tokens that will be used for all OpenStack actions CRUD user, tenants (project), roles, and domains (for v3) for better RBAC.
Orchestration engine (Heat) Similar to Amazon Cloudformations, and ELB CRUD templates (stacks), that can be stopped and resumed. Tenant view Well-defined and mature, HOT offers more modularity and flexibility improvements (i.e. resource chains, pre-delete hooks, etc) Very useful when combined with Ceilometer (telemetry) and LBaaS. Example use-case is instance auto-scaling, by creating another VM when cluster load reaches 80% CPU. 10 Red Hat OpenStack Platform Can offer shared templates, approved by IT Excellent integration with CloudForms to create a advanced service catalog to endusers with policies and customized quota and capacity management. Operator view Instructs OpenStack to automate deployment of resources as defined in HOT or CloudFormations (CFN) language Heat may require minor tuning to ensure enough CPU and RAM is assigned to it
Telemetry (Ceilometer) Similar to Amazon CloudWatch Alarms (e.g CPU threshold reached) can also be triggered. Alarm threshold can be custom-defined, all via the Aodh API (pronounced hey ) Querying for historical values are available. Now Ceilometer offers much better performance and scalability, thanks to the split of its components: Gnocchi, Aodh, and Panko. Gnocchi stores/indexes time-series metrics Aodh does the same for alarms Panko is the event engine Connects with CloudForms for Capacity monitoring and management. Gnocchi is default for Undercloud; greatly improving performance. There is no longer a Ceilometer API. Use the Gnocchi API. 11 Red Hat OpenStack Platform Operator view Tenant view Metrics (CPU, RAM usage) and Events (e.g instance is created) can be only be listed. Historically, Ceilometer was a single component with a MongoDB backend; it often suffered performance issues at scale.
Baremetal for tenants (Ironic) Similar to Amazon Dedicated EC2 Servers After Ironic reserves a baremetal node, Nova is used to provision the instance Only works with glance images tagged hypervisor_type=ironic Requires careful design for tenant-facing service (network isolation, security...) Defines nova Host-Aggregates with key-value baremetal and a flavor with key hypervisor_type="ironic" Quotas and capacity planning are needed Can deploy Linux or Windows VMs (requires extra steps) Good integration (thanks to specific certification) with most hardware vendors: Dell, Cisco, HP Graceful shutdown/reboot and NMI (non-maskable interrupt, hard power off) control for physical servers directly from the ironic CLI Introspection process to detect HW capabilities 12 Red Hat OpenStack Platform Requires many Nova and Neutron changes (i.e. Flat Networking for PXE provisioning) Operator view Tenant view Nova commands are used against a existing baremetal Host-Aggregate Allocates a pool of nodes to be entirely allocated to certain tenants, on demand
I need a UI to manage my workloads or troubleshoot I don t like the CLI I want to see my Heat topologies Quickly display my quota usage and default options 13 Red Hat OpenStack Platform I want an admin panel I want a quick access to my Red Hat Access account I want to see all Neutron networks and routers Operator view Tenant view Dashboard (Horizon)
Data Processing (Sahara) Similar to Amazon Elastic MapReduce (EMR) Simple parameters such as Hadoop version, cluster topology, and node count Data can be hosted elsewhere (S3, Swift...) Rapid provisioning of Hadoop clusters for Dev and QA Analytics-as-a-Service for bursty or ad-hoc workloads Updated versions of all components 14 Red Hat OpenStack Platform Supports Hadoop distributions on CentOS and RHEL 7: Cloudera CDH 5.5 and 5.7 HortonWorks Ambari 2.4 MapR 5.1 and 5.2 Plugin Image Packaging Tool, to validate custom plugins, package them and generate clusters from clean, versioned, OS-only images. Operator view Tenant view Run Hadoop workloads in few clicks without expertise in Hadoop operations Utilization of unused compute power from a general purpose OpenStack cloud to perform Data Processing tasks
Shared File System (Manila) Similar to Amazon Elastic File System but not just NFS, also CIFS Can be shared with other tenants (RBAC), including mappings to LDAP entities User-defined quotas, policies, replication, snapshots, extend/shrink capacity VM Operating System must connect to the share using whatever network protocol has been set (NFS, CIFS) 15 Red Hat OpenStack Platform Delegates storage management to end users with clearly defined limits and boundaries NFS (access by IP address or subnet) CIFS (authentication by user) In OSP, Manila is via Director CephFS driver is Tech Preview Operator view Tenant view Creates a network file share, available in a Neutron shared network Significantly reduces operational burden
TripleO: OpenStack on OpenStack Director is based on upstream OpenStack deployment program TripleO Operator uses an OpenStack installation, referred to as the Undercloud to deploy and update the production OpenStack install, referred to as the Overcloud via Heat and Ironic. See these two blog posts. 16 Red Hat OpenStack Platform
Integration / NFV
Co-engineered with RHEL SUPPORTED GUESTS Virtualization Windows Linux Windows Linux Security Ecosystem Network Windows OpenStack Security Enhanced Linux (SELinux) RHEL + KVM SERVERS 18 Red Hat OpenStack Platform Ceph OVS Storage Network KVM Network Stack Device Drivers LINUX KERNEL Storage
Ecosystem of certified Partner Plugins Red Hat OpenStack Platform 11 works hand-in-hand with a huge range of certified trusted providers across most components. Certification requirements are documented in our certification policy guide and certification workflow guide. Full certification support is outlined in the following KB. 19 Red Hat OpenStack Platform
SDN Software Defined Networking Dozens of SDN partners, Neutron certified Director can automatically configure Cisco, Nuage, PLUMgrid. More to come Two main models: Software centric - hardware is general-purpose Hardware centric - specific network hardware is required Can extend Neutron via ML2 drivers, core plugins or advanced services. 20 Red Hat OpenStack Platform
NFV Network Functions Virtualization Red Hat NFV Solution is based on 100% Open-Source components, also certified VNFs Extensive Partner Ecosystem for a production-ready, supported ETSI NFV compliant platform 21 Red Hat OpenStack Platform
Co-Locate Ceph on Nova Compute Ceph compute co-location is now fully supported in production using composable roles and with increased documentation Co-locates Ceph OSDs on the Compute nodes - Useful for NFV use cases - Reduce hardware requirements - Requires performance tuning Updated Reference architecture Support for both converged and non-converged infra using custom roles 22 Red Hat OpenStack Platform
Integration with CloudForms Red Hat OpenStack subscriptions include a CloudForms for OpenStack Subscription which allows management of your Red Hat OpenStack Platform installation's Overcloud, Undercloud and storage. Integrate Red Hat OpenStack Platform's Overcloud: OpenStack workload management from within CloudForms admin/tenant facing Synchronize OpenStack tenants with CloudForms Tenants create, update, and manage Cinder Backup and Restore from various backends Create and Delete snapshots of volumes Enhanced topology views and refreshed dashboards ease use and functionality Support for domains, regions, and host aggregates 23 Red Hat OpenStack Platform
Integration with CloudForms Integrate Red Hat OpenStack Platform's Undercloud: OpenStack infrastructure management (director) from within CloudForms Operator facing UI for loading instackenv.json Introspect right from the CF UI with Introspect Nodes and Provide Nodes tasks Set node states from the CF UI with Set Node to Manageable menu items New provider for OSP director specifically allowing topology views of the Undercloud networks UI for network management and visibility. Automatically detects Gnocchi and uses it if found. 24 Red Hat OpenStack Platform
Integrated with Red Hat Ceph Storage Default backend for Red Hat OpenStack Platform, which comes with 64TB of Ceph Enterprise Manual installation of Red Hat Storage Console available (Ceph 2 management tool) Ceph Rados Object Gateway can be enabled by Director (as an option) Director can connect to an externally-managed Ceph cluster. Director can also install/deploy/update Ceph Director can now deploy co-located Ceph OSD on Compute allowing for minimal hardware requirements Cinder driver now supports NFS snapshots bringing create, delete and clone from actions. 25 Red Hat OpenStack Platform
OpenDaylight * Minimalistic release, not meant to compete with SDN vendors (Tech Preview) Main focus is on providing NetVirt and SFC for OpenStack by using the OpenDaylight ML2 plug-in Latest OpenDaylight release (Boron SR2) deployed via Director 26 Red Hat OpenStack Platform Feature List: Distributed L2: VLAN, NVGRE, VXLAN Distributed L3: east/west routing, floating IPs No support for NAPT (aka SNAT) No support for IPv6 DHCPv4 using Neutron s DHCP agent Network namespaces with dnsmasq Metadata (cloud-init) support through DHCP namespace Security-groups when OVS Conntrack * enabled Supports Neutron port-security extensions Simplified architecture; no l2-agent or l3-agent *Tech Preview features are subject to change in GA release
Operational Tools Overview Performance (collectd), logging (fluentd), and monitoring (sensu) agent deployments are fully supported in Red Hat OpenStack Platform 11. You can deploy agents and clients directly from Director using composable roles and services. Performance/Capacity Centralized Logging Availability Monitoring The server packages are kept on an upstream community repo (CentOS OpsTools SIG) and can be deployed with Ansible playbooks. Upstream components are not supported by Red Hat. 27 Red Hat OpenStack Platform
Operational Tools in Detail Centralized Logging Suite To support a centralized EFK Stack (Fluentd, Kibana and ElasticSearch) all nodes come with a fluentd log collection agent Availability Monitoring Suite To support complex and essential availability monitoring with tools such as Sensu (for alert monitoring) Uchiwa (for web UI) Redis and RabbitMQ as backends all nodes can be deployed with a Sensu monitoring agent Performance Monitoring Suite To build upon a Graphite (for metric collection) and grafana (for web UI) monitoring installation all nodes can be deployed with a collectd agent 28 Red Hat OpenStack Platform
OpenShift Container Platform as a workload Red Hat does not support upstream projects that offer limited management for container platforms to tenants as new OpenStack APIs (like Magnum, Murano). Red Hat has a complete Reference Architecture for OSP8 (10+ coming soon), easy to install, for OpenShift Container Platform as a guest: Kubernetes integrates with OpenStack Networking and Storage. Automatically provision kubernetes nodes via the OpenStack cloud provider plug-in (kubelet --cloud-provider=openstack ). Check out the Red Hat Cloud Suite for an integrated product. 29 Red Hat OpenStack Platform
THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos