Lessons from Building OpenStack Public Cloud

939 views
747 views

Published on

Presented by Hui Cheng, the organizer of OpenStack China Tour.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
939
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Lessons from Building OpenStack Public Cloud

  1. 1. 目录 OpenStack China Tour #2 Shenzhen00 00 写上你的文字你的文字01 0102 0203 03 04 主办方:中国OpenStack用户组 & CSDN 05 Organizer: COSUG & CSDN 关注COSUG官方微博@OpenStack
  2. 2. 目录 OpenSta​ck中国行(北京)​日程安排 00 签到 00Before 14:00 写上你的文字你的文字14:00 - 14:40 基于OpenStack建设公有云平台的开发实践 程 辉 01 骆文钟 0114:40 - 15:20 OpenStack在香港15:20 - 15:30 Break 02 朱荣泽 0215:30 - 16:10 OpenStack中的块设备存储服务Cinder16:10 - 16:40 Juju – make your life easier in the cloudOpenStack- 候正鹏 03 0316:40 - 16:50 Break George 0416:50 - 17:20 企业私有云基础设施最佳选择 Wang17:20 - 17:50 Swift架构与实践 杨雨 05
  3. 3. 标题文字标题文字 在这里写上你的标题Building OpenStack Public Cloud 副标题副标题副标题 For副标题文字副标题文字Shenzhen OpenStack China Tour Hui Cheng freedomhui@gmail.com | freedomhui.com Community Manager of COSUG Technical Manager in Sina.com 作者/日期 作者名字/日期 2012/9/21
  4. 4. 目录Content 00 00 写上你的文字你的文字  01 OpenStack in Sina  01 Integration 02 Extension  02 03  New Services 03 04  Sina Contribution to OpenStack community 05
  5. 5. 目录00 00 写上你的文字你的文字01 0102 0203 OpenStack in Sina 03 04 05
  6. 6. About SinaCloud 目录 00 First and most popular PaaS cloud in 00 写上你的文字你的文字 China, launched in 2009 01 Support PHP, Python and Java 01 runtime 02 02 03 03 04 05
  7. 7. 目录00 00 写上你的文字你的文字01 0102 0203 03 04 05
  8. 8. About SinaCloud 目录 00 First and most popular PaaS cloud in 00 写上你的文字你的文字 China, launched in 2009 01 Support PHP, Python and Java 01 runtime 02 02 03 03 OpenStack based public IaaS cloud 04 05
  9. 9. 目录00 00 写上你的文字你的文字01 0102 0203 03 04 05
  10. 10. About SinaCloud 目录 00 First and most popular PaaS cloud in 00 写上你的文字你的文字 China, launched in 2009 01 Support PHP, Python and Java 01 runtime 02 02 03 03 OpenStack based public IaaS cloud 04 05 SaaS cloud based on SAE tech. Design for the masses 1-Click buy and install apps (SinaCloud Store)
  11. 11. 目录00 00 写上你的文字你的文字01 0102 0203 OpenStack in Sina 03 04 05
  12. 12. Sina Web Services(SWS) 目录 00To salute Amazon Web Services 00 写上你的文字你的文字 01 Its an validated and successful cloud business 01model. 02 02Customers 03 03 Game makers on Weibo platform 04 Sina Partners Common users out of Sina 05Vision Build an open and full-stack cloud ecosystem,integrated IaaS, PaaS and SaaS platform.
  13. 13. Cloud Bridge 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  14. 14. SWS Deployment 目录 00 Rabbit 00 写上你的文字你的文字 MySQL 01dashboard 01 02 schedule 02 nova-api 03 03 nova-compute nova-compute 04 keystone nova-network nova-network 05 glanceSina SSO Swift
  15. 15. SWS Deploy Stack 目录 00 Dell R510 00 写上你的文字你的文字 01 01 Ubuntu 12.04 02 02 OpenStack 03 03 Security KVM Policy 04 05 Local Local Volume Volume
  16. 16. Nova Network 目录 00 00Networking写上你的文字你的文字 challenges for IaaS is the biggest 01 01Network Topology: 02 02• VLAN 03 03• FlatDHCP 04• FlatDHCP & Multihost 05
  17. 17. SWS Network Topology 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  18. 18. 目录 Network Topology (VLAN)Capability: 00 00 写上你的文字你的文字• Accessibility of VMs within one tenant• Isolation of VMs from different 01 tenants 01• VM is able to access public network 02 02• VM can be accessible from public network 03• Isolation 03 between virtual network and internal network 04Drawback: 05• Pre-allocate network for future projects• Hard-limit of vlan 4096• Traffic bottleneck in the gateway/NAT
  19. 19. Network Topology(Flat) 目录 00Capability: 00 写上你的文字你的文字• Accessibility of all VMs in the fixed IP range 01 01• VM is able to access public network• VM can be accessible from public 02 network 02• Full isolation between virtual network 03 03 and internal networkBonus: 04• Do not need pre-allocate for new projects 05• Eliminating bottleneck between tenantsDrawback:• Tenant isolation has gone• Traffic bottleneck still exists in NAT
  20. 20. 目录Network Topology(Flat & Multihost) 00Capability: 00 写上你的文字你的文字• Accessibility of all VMs in the fixed IP range 01 01• VM is able to access public network• VM can be accessible from public 02 network 02 03Bonus: 03• Totally distributed architecture avoid 04 single-point failure.• Multiple gateway eliminates NAT bottleneck05• High speed between OS regionsDrawback:• Tenant isolation lessens• Need security facility(SWS-filter) to protect intranet If security problems were solved, this would be our best choice!
  21. 21. 目录 Security in OpenStackSecurity Group --- L3 Filter 00 Static filters --- L2 Filter 00 写上你的文字你的文字Role-based firewall 01 MAC, IP, and ARP spoofing protectio 01 One security group is a Role  Not configurableIngress filtering 02  Defined in /etc/libvirt/nwfilter/*.xml Target is 02 instance the Implemented by ebtables Source can be CIDR or another group 03  ebtables -t nat --list 03Implemented by iptables See details: iptables -t filter -n -L Whitelist 04 mechanism(ACCEPT rules) 05
  22. 22. 目录Security Enhancement 00SWS Filter 00 写上你的文字你的文字 01 01Prevent Intranet Penetration• Intranet is the internal network 02 outside 02OpenStack ofEgress filtering 03• 03 Target is internal network• Source is instances in OpenStack 04Implementation• Whitelist mechanism(ACCEPT rules)• 05 On the top of nova-filter-top Forward ChainRational• SWS filter is managed by cloud manager• Only explicit authorized packets can reach Internal network C• Packet should be controlled within Compute Node
  23. 23. 目录 Security Enhancement 00Security Group写上你的文字你的文字 VS SWS Filter 00 01 01 02 02 03 03 04 05
  24. 24. SWS Load Balancer 目录Goals 00 00 写上你的文字你的文字Load Balance 01 01•Dispatch request•Support multiple routing algorithm DNS Acceleration Design 02 02•Health check 03 Smart DNSAcceleration 03•Reality: narrow bandwidth between ISPs 04•Building fiber channels from ISPs to pivot Public Network•Given the same endpoint within user’s ISP 05IPv4 Shortage Telecom Unicom Mobile Others ISP•Reality: dozens of public IPs supporthundreds of VMs High speed fiber-optic•IPv4 has been exhausted•IPv6 is not realistic yet in China Router
  25. 25. 目录L7 Load Balancer 00Layer 7 Load Balancer 00 写上你的文字你的文字 01Consideration: 011. dispatch request by Host header 022. nginx module 02 03 03 04 05
  26. 26. 目录 L4 Load Balancer 00 Layer 4 Load Balancer 00 写上你的文字你的文字 01 Consideration: 01 1. dispatch request by TCP port 02 2. lvs + haproxy 02 03 03 04 05ssh –p 2000 root@socket.abc.com
  27. 27. SWS Security Enhancement 目录SWS00 Filter 00 写上你的文字你的文字Prevent Intranet Penetration 01 01 Intranet is the internal network 02 outside of OpenStack 02 03 03Egress filtering • Target is internal network • 04 Source is instances in OpenStack 05Implementation  Whitelist mechanism(ACCEPT rules)  On the top of nova-filter-top Forward Chain
  28. 28. SWS Security Enhancement 目录 00 00 写上你的文字你的文字Security Group VS SWS Filter 01 01 02 02 03 03 04 05
  29. 29. Object Storage – Swift Integration 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  30. 30. Storage Firewall 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  31. 31. SWS continuas integration 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  32. 32. Storage Firewall 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  33. 33. Sina Contribution - Essex 目录• Sina creating OpenStack community project Dough & Kanyun, 00 00 写上你的文字你的文字to contribute metering & billing capability• Present01 OpenStack Design Summit & Conference 01 in• Claim and submit dozens of blueprints in OpenStack Launchpad 02• Top 10 02 Companies by bugfixes 03 03 04 05
  34. 34. Sina Contribution – Folsom 目录zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$ ./gitdm -l 20 -n < /opt/stack/gitlog/all.log 00 00 写上你的文字你的文字Grabbing changesets...doneProcessed 3081 csets from 291 developers 01 01154 employers foundA total of 797390 lines added, 412196 removed (delta 385194) 02 02 Changeset 03 900 03 800 700 04 600 500 05 400 300 200 100 0
  35. 35. Sina Contribution – Folsom 目录zhu@zrz-dev:~/git/smaffulli/openstack-gitdm$ ./gitdm -l 20 -n < /opt/stack/gitlog/all.log 00 00 写上你的文字你的文字Grabbing changesets...doneProcessed 3081 csets from 291 developers 01 01154 employers foundA total of 797390 lines added, 412196 removed (delta 385194) 02 02 Employers 03 45 03 40 35 04 30 25 05 20 15 10 5 0
  36. 36. Sina Contribution - Stackers 目录• Nova——Jian Wen 00• 00 写上你的文字你的文字 Swift——Alex Yang• 01 Quantum——Jiajun Liu 01• Cinder——Rongze Zhu 02 02 03 03 04 05
  37. 37. Whats the kanyun 目录 00 00 写上你的文字你的文字Monitoring tools 01 01  Tracking the tenant resource usage: 02 02  CPU、mem、disk、network traffic 03 03Metering tools 04  Data collection and statistics 05
  38. 38. Kanyun: Monitoring system 目录 00 Worker Nova 00 写上你的文字你的文字 Dashboard 01NovaCompute01 Compute 02 02 API daemonWorker 03 03 Retrieve usage Responds to client 04 info request 05 Billing Aggregator NoSQLCalculates/stores https://github.com/sinacloud/kanyun (updated at 8/9) metrics
  39. 39. Whats the kanyun目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  40. 40. Dough:Billing system 目录 00 00 写上你的文字你的文字 Keep track of billing info to charge tenants 01 01 Flexible customization of payment policies 02 02 How much/often to charge for resource unit 03 03 Handles prepaid or pay-as-you-go 04 Coupon Support 05
  41. 41. Dough:Billing system 目录 deduct 00 00 写上你的文字你的文字 01 RDBMS 01Kanyun API Dashboard 02 (Metering) 02 03 03 04 05 Farmer API daemon NoSQL Check status / Subscribe or Retrieve usage / unsubscribe Create purchases Query info https://github.com/sinacloud/dough (updated at 8/9)
  42. 42. Dough:Billing system 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  43. 43. 目录00 00 写上你的文字你的文字01 01 Dashboard02 0203 03 04 05
  44. 44. SWS v1 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  45. 45. SWS v2 目录 00 00 写上你的文字你的文字 01 01 02 02 03 03 04 05
  46. 46. SWS V3 目录Open API & CLI 00 00 写上你的文字你的文字 01 Build 01 an cloud ecosystemvMotion 02 02 03 High Availability 03 Fault Tolerance 04EBS 05 Self-developed Solution OpenSouce(Gluster/Ceph/Sheepdog)Quantum Integration Nicira-alike product research
  47. 47. SWS V3 目录Multi-IDC Support 00 00 写上你的文字你的文字 01 Multi 01 Regions/Zones 02 Build for failure 02User Console 03 03 More User friendlyAdmin Console 04 Be 05 able to manage resourses like users Physical server deployment & management Network & Storage Management Identity and Access Management
  48. 48. 目录 00 00 写上你的文字你的文字 01 01Thank you, OpenStack Community and 02 02Foundation. 03 03 04 05
  49. 49. 目录00 00 写上你的文字你的文字01 01 Q&A02 0203 03 04 05 Weibo: @程辉 freedomhui@gmail.com

×