VMs at a Tier-1 site. EGEE 09, Sander Klous, Nikhef

Similar documents
Edinburgh (ECDF) Update

The EU DataGrid Testbed

Storage Virtualization. Eric Yen Academia Sinica Grid Computing Centre (ASGC) Taiwan

Deploying virtualisation in a production grid

Large Scale Sky Computing Applications with Nimbus

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

HPC learning using Cloud infrastructure

Application of Virtualization Technologies & CernVM. Benedikt Hegner CERN

An Introduction to Virtualization and Cloud Technologies to Support Grid Computing

EGEE and Interoperation

I Tier-3 di CMS-Italia: stato e prospettive. Hassen Riahi Claudio Grandi Workshop CCR GRID 2011

Scientific data processing at global scale The LHC Computing Grid. fabio hernandez

Users and utilization of CERIT-SC infrastructure

Windows Azure Services - At Different Levels

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Developing Microsoft Azure Solutions (70-532) Syllabus

VMware vsphere Customized Corporate Agenda

Exploring cloud storage for scien3fic research

Clouds: An Opportunity for Scientific Applications?

glite Grid Services Overview

70-247: Configuring and Deploying a Private Cloud with System Center 2012

Grid Security Policy

Developing Microsoft Azure Solutions (70-532) Syllabus

WLCG Lightweight Sites

Clouds at other sites T2-type computing

EUROPEAN MIDDLEWARE INITIATIVE

Andrea Sciabà CERN, Switzerland

Integration of Cloud and Grid Middleware at DGRZR

StratusLab Cloud Distribution Installation. Charles Loomis (CNRS/LAL) 3 July 2014

Ioan Raicu. Everyone else. More information at: Background? What do you want to get out of this course?

Grid Architectural Models

The Latest EMC s announcements

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

Developing Microsoft Azure Solutions

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Overview. Prerequisites. VMware vsphere 6.5 Optimize, Upgrade, Troubleshoot

Title DC Automation: It s a MARVEL!

70-414: Implementing an Advanced Server Infrastructure Course 01 - Creating the Virtualization Infrastructure

VMware vsphere with ESX 6 and vcenter 6

Architecture Proposal

Garuda : The National Grid Computing Initiative Of India. Natraj A.C, CDAC Knowledge Park, Bangalore.

The Oracle Database Appliance I/O and Performance Architecture

Netherlands Institute for Radio Astronomy. May 18th, 2009 Hanno Holties

VMware vsphere 5.5 Advanced Administration

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

First Experience with LCG. Board of Sponsors 3 rd April 2009

Sky Computing on FutureGrid and Grid 5000 with Nimbus. Pierre Riteau Université de Rennes 1, IRISA INRIA Rennes Bretagne Atlantique Rennes, France

COP Cloud Computing. Presented by: Sanketh Beerabbi University of Central Florida

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

EGI-InSPIRE. Security Drill Group: Security Service Challenges. Oscar Koeroo. Together with: 09/23/11 1 EGI-InSPIRE RI

Operation of Site Running StratusLab toolkit v1.0

Tier2 Centre in Prague

AppDefense Getting Started. VMware AppDefense

Developing Microsoft Azure Solutions

A VO-friendly, Community-based Authorization Framework

Virtualization Strategies on Oracle x86. Hwanki Lee Hardware Solution Specialist, Local Product Server Sales

The INFN Tier1. 1. INFN-CNAF, Italy

Microsoft Core Solutions of Microsoft SharePoint Server 2013

DIRAC pilot framework and the DIRAC Workload Management System

Scientific Workflows and Cloud Computing. Gideon Juve USC Information Sciences Institute

Developing Microsoft Azure Solutions (70-532) Syllabus

Connecting the e-infrastructure chain

Storage Considerations for VMware vcloud Director. VMware vcloud Director Version 1.0

STATUS OF PLANS TO USE CONTAINERS IN THE WORLDWIDE LHC COMPUTING GRID

McAfee Virtual Network Security Platform 8.4 Revision A

Ten things hyperconvergence can do for you

Spanish Tier-2. Francisco Matorras (IFCA) Nicanor Colino (CIEMAT) F. Matorras N.Colino, Spain CMS T2,.6 March 2008"

Online Services Security v2.1

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

ALICE Grid Activities in US

Virtualization in a Grid Environment. Nils Dijk - Hogeschool van Amsterdam Instituut voor Informatica

The LHC Computing Grid

The European DataGRID Production Testbed

The Legnaro-Padova distributed Tier-2: challenges and results

BOSCO Architecture. Derek Weitzel University of Nebraska Lincoln

Oracle Linux, Virtualization & OEM12 Discussion Sahil Mahajan / Sundeep Dhall

"Charting the Course... VMware vsphere 6.5 Optimize, Upgrade, Troubleshoot. Course Summary

VMware Horizon 7 Administration Training

Getting to Know Apache CloudStack

By the end of the class, attendees will have learned the skills, and best practices of virtualization. Attendees

Report on the HEPiX Virtualisation Working Group

SCA19 APRP. Update Andrew Howard - Co-Chair APAN APRP Working Group. nci.org.au

Introducing the HTCondor-CE

VMware vcloud Air Key Concepts

CloudMan cloud clusters for everyone

bwsync&share: A cloud solution for academia in the state of Baden-Württemberg

KYPO Cyber Range Design and Use Cases

Mixing and matching virtual and physical HPC clusters. Paolo Anedda

Interoperability Specifications and Conformance Testing Services Made Available on the Tukan Platform

Cisco Unified Provisioning Manager 2.2

HPE Synergy HPE SimpliVity 380

DNA Sequence Bioinformatics Analysis with the Galaxy Platform

Open mustard seed. Patrick Deegan, Ph.D. ID3

Private Cloud at IIT Delhi

Workload management at KEK/CRC -- status and plan

VMware vsphere with ESX 4.1 and vcenter 4.1

The glite middleware. Presented by John White EGEE-II JRA1 Dep. Manager On behalf of JRA1 Enabling Grids for E-sciencE

Cisco Prime Central for HCS Assurance

Transcription:

VMs at a Tier-1 site EGEE 09, 21-09-2009 Sander Klous, Nikhef

Contents Introduction Who are we? Motivation Why are we interested in VMs? What are we going to do with VMs? Status How do we approach this issue? Where do we stand? Challenges 03-09-2009 BIG Grid - Virtualization working group 2

Introduction Collaboration between NCF: national computing facilities Nikhef: national institute for subatomic physics NBIC: national bioinformatics center Participation from Philips, SARA, etc. Goal: Enables access to grid infrastructures for scientific research in the Netherlands 03-09-2009 BIG Grid - Virtualization working group 3

Motivation: Why Virtual Machines? Site perspective Resource flexibility (e.g. SL4 / SL5) Resource management Scheduling / multi-core / sandboxing User perspective Isolation from environment Identical environment on multiple sites Identical environment on local machine 03-09-2009 BIG Grid - Virtualization working group 4

Different VM classes Class 1: Site generated Virtual Machines No additional trust issues Benefits for system administration Class 2: Certified Virtual Machines Inspection and certification to establish trust Requirements for monitoring / integration Class 3: User generated Virtual Machines No trust relation Requires appropriate security measures 03-09-2009 BIG Grid - Virtualization working group 5

Typical use case Class 1 VM Resource management Torque/PBS Job queue Virtual Machine Manager VM queue Box 1 Normal WN Box 3 8 Virtual SL5 WNs Box 2 8 Virtual SL4 WNs Site infrastructure 03-09-2009 BIG Grid - Virtualization working group 6

Typical use case Class 2 VM Analysis on Virtual Machines Run minimal analysis on desktop/laptop Access to grid services Run full analysis on the grid Identical environment Identical access to grid services No interest to become system administrator Standard experiment software is sufficient 03-09-2009 BIG Grid - Virtualization working group 7

Typical use case Class 3 VM Identification and classification of GPCRs Requires very specific software set Blast 2.2.16 HMMER 2.3.2 BioPython1.50 Even non-x86 (binary) applications! Specific software for this user No common experiment software 03-09-2009 BIG Grid - Virtualization working group 8

Project status Working group: virtualization of worker nodes https://wiki.nbic.nl/index.php/biggrid_virtualisatie Kick-off meeting July 6 th 2009 System administrators, User support, management Phase 1 (3 months) Collect site and user requirements Identify other ongoing efforts in Europe First design Phase 2 (3 months) Design and implement proof of concept 03-09-2009 BIG Grid - Virtualization working group 9

Active working group topics Policies/Security issues for Class 2/3 VMs Technology study Managing Virtual Machines Distributing VM images Interfacing the VM infrastructure with the grid Identify missing functionality and alternatives Accounting and fare share, image management, authentication/authorization, etc. 03-09-2009 BIG Grid - Virtualization working group 10

The Amazon identity crisis The three most confronting questions: 1. What is the difference between a job and a VM? 2. Why can I do it at Amazon, but not at the grid? 3. What is the added value of grids over clouds? We don t want to compete with Amazon! 03-09-2009 BIG Grid - Virtualization working group 11

Policy and security issues E-science services and functionality Data integrity, confidentiality and privacy Non-repudiation of user actions System administrator point of view Trust user intentions, not their implementations Incident response more costly than certification Forensics is time consuming 03-09-2009 BIG Grid - Virtualization working group 12

Security 101 = Attack surface Compromised user space is often already enough trouble 03-09-2009 BIG Grid - Virtualization working group 13

Available policies Grid Security Policy, version 5.7a VO Portal Policy, version 1.0 (draft) Big Grid Security Policy, version 2009-025 Grid Acceptable Use Policy, version 3.1 Grid Site Operations Policy, version 1.4a LCG/EGEE Incident Handling and Response Guide, version 2.1 Grid Security Traceability and Logging Policy, version 2.0 VO-Box Security Recommendations and Questionnaire, version 0.6 (draft, not ratified) 03-09-2009 BIG Grid - Virtualization working group 14

Relevant policy statements Network security is covered by site local security policies and practices A VO Box is part of the trusted network fabric. Privileged access is limited to resource administrators Software deployed in the grid must include sufficient and relevant site central logging. 03-09-2009 BIG Grid - Virtualization working group 15

First compromise Certified package repository Base templates Certified packages Separate user disk User specific stuff Permanent storage At run time No privileged access Comparable to VO box Licenses? 03-09-2009 BIG Grid - Virtualization working group 16

Second compromise Make separate grid DMZ for Class 3 VMs Comparable to Guest networks Only outbound connectivity Detection of compromised guests Extended security monitoring Packet inspection, netflows (SNORT, nfsen) Honeypots, etc. Simple policy: one warning, you re out. Needs approval (network policy) from OST (Operations Steering Team) 03-09-2009 BIG Grid - Virtualization working group 17

TECHNOLOGY STUDY 03-09-2009 BIG Grid - Virtualization working 18

Managing VMs Resource management Torque/PBS Job queue Haizea OpenNebula VM queue Box 1 Normal WN Box 3 8 Class 2/3 VMs Box 2 8 Virtual WNs Site 03-09-2009 BIG Grid - Virtualization working group 19

Distributing VM images iscsi/lvm Box 1 Normal WN Repository (SAN) Image Image Image Image Image Class 2/3 upload solution Box 2 8 Virtual WNs Box 3 8 Class 2/3 VMs 03-09-2009 BIG Grid - Virtualization working group 20

Cached copy-on-write Repository Box 1 COW Cache Image Image VM COW VM Box 2 VM COW Image VM COW Cache 03-09-2009 BIG Grid - Virtualization working group 21

Interfacing VMs with the grid Repository (SAN) Image Image Image Image Image Class 2/3 upload solution Class 2 Class 3 discussion Grid middleware globus-job-run globus-gatekeeper globus-job-manager contact-string jm-pbs-long jm-opennebula qsub / opennebula Resource management Torque/PBS Nimbus/OCCI OpenNebula 03-09-2009 BIG Grid - Virtualization working group 22

VM contact-string User management mapping Coffee table discussion Mapping to OpenNebula users Authentication / Authorization Access to different VM images Grid middleware components involved: Cream-CE, BLAHp, glexec Execution Environment Service https://edms.cern.ch/document/1018216/1 Authorization Service Design https://edms.cern.ch/document/944192/1 Parameter passing issue 03-09-2009 BIG Grid - Virtualization working group 23

Monitoring/Performance testing 03-09-2009 BIG Grid - Virtualization working group 24

Performance Small cluster 4 dual CPU quad core machines Image server with 2 TB storage Integration with experimental testbed Existing Cream-CE / Torque Testing Network I/O, is NAT feasible? File I/O, what is the COW overhead? Realistic jobs 03-09-2009 BIG Grid - Virtualization working group 25

Other challenges Accounting, scheduling based on Fair Share Scalability! Rapidly changing landscape New projects every week New versions every month So many alternatives VMWare, SGE, Eucalyptus, Enomaly iscsi, NFS, GFS, Hadoop Monitoring and security tools 03-09-2009 BIG Grid - Virtualization working group 26

Conclusions Maintainability: no home grown scripting Each solution should be part of a product Validation procedure with each upgrade Deployment Gradually move VM functionality in production 1. Introduce VM worker nodes 2. Virtual machine endpoint in grid middleware 3. Test with a few specific Class 2/3 VMs 4. Scaling and performance tuning 03-09-2009 BIG Grid - Virtualization working group 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback