Améliorer OpenStack avec les technologies Intel


Published on

Dans ce document vous trouverez les dernières améliorations faites sur OpenStack et comment certaines technologies Intel dopent la performance et la sécurité de l'environnement Cloud. Quelques exemple avec :
Comment créer des "pool" de VM sécurisées avec possibilité de géo tagging (technologies Intel présentent dans les serveurs HP, DELL, IBM… + Folsom, Nova, Horizon, Open Attestation)
Comment doper la sécurité du nouveau module de gestion des clés d'OpenStack (technologies Intel + Barbican)
Comment benchmarker le stockage object Swift avec COSBench (qui supporte maintenant Ceph, S3 et Amplidata)

Girish Gopal - Strategic Planning, Intel Corporation
Malini Bhandaru - Security Architect, Intel Corporation

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Améliorer OpenStack avec les technologies Intel

  1. 1. 1 Enhancing OpenStack* with Intel® Technologies for Public, Private and Hybrid Cloud Girish Gopal – Strategic Planning, Intel Corporation Malini Bhandaru – Security Architect, Intel Corporation EDCS003
  2. 2. 2 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  3. 3. 3 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  4. 4. 4 Intel Enables OpenStack* Cloud Deployments Contributions Intel IT Open Cloud Intel® Cloud Builders • Across OpenStack projects plus tools released to Open Source • Top 10 contributor to Grizzly and Havana releases1 • Optimizations, validation and patches • Intel IT Open Cloud with OpenStack • Deliver Consumable Services • Automated Management of Cloud • Collection of best practices • Intel IT Open Cloud Reference Arch • Share best practices with IT and CSPs 1Source:
  5. 5. 5 OpenStack* Architecture Identity (Keystone) Authentication and authorization for services Object Storage (Swift) Allows you to store or retrieve files Image (Glance) Catalog and repository for virtual disk images Dashboard (Horizon) Modular web-based user interface for all services Compute (Nova) Provides virtual servers upon demand Networking (Neutron) Provides "network connectivity as a service" Block Storage (Cinder) Provides persistent block storage to guest VMs Heat Orchestrate multiple composite cloud applications Ceilometer Collect measurements for metering and monitoring New Components in Havana
  6. 6. 6 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute – Trust – Security – Enhanced Platform Awareness (EPA) • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  7. 7. 7 Trusted Compute Pools (TCP) Enhance visibility, control and compliance - Key IT concerns (61%, 55% and 57% respectively1) • TCP Solution - Place workloads & VMs in trusted pools of virtualized servers - Trusted Computing Group Compliant Platform (TPM) - Intel® Xeon® processor initiates a trusted boot - OpenStack* Folsom release or later - Policy Engine / Console - Trust level of VM specified as Trusted  Compute (Nova) – Trust Filter  Dashboard (Horizon) – Trust Filter UI - Open Attestation (OAT) SDK  • Core technologies - Intel® Trusted Execution Technology - Intel® Virtualization Technology FlexMigration 1source: McCann “what’s holding the cloud back?” cloud security global IT survey, sponsored by Intel, May 2012 Trust TCP is enabled in OpenStack (Folsom release) • Vendors: Bundle OAT into your OpenStack offering • Providers/IT: Implement TCP in your OpenStack Cloud • Users: Request and deploy VMs on Trusted nodes
  8. 8. 8 Trusted Compute Pools with Geo-Tagging Use asset descriptor information to control virtual workloads - E.g., Enforce policies to control migration or bursting to trusted systems in specific geographical locations • Enhance OpenStack* services - Dashboard – display VM/storage geo - Flavor – Geo for VM Instances and Storage - Aggregate filter - Geo attestation service - Configure geo attestation service - Provision geo certificate for trusted machines Provide feedback, use cases Trust
  9. 9. 9
  10. 10. 10
  11. 11. 11 Key Management Facilitates server-side encryption; Data-at-rest security Enables new use cases and users, e.g., compliance • Random Key generation - Intel® Secure Key: true randomness important • Secure Storage – keys encrypted with a master key • Access controlled - Identity - Keystone and access policies • Audit logging - create/delete/use • High availability • Pluggable backend – HSM, TPM Security Encryption Keys : Create, Store, Protect, and Ready Access
  12. 12. 12 OpenStack* Key Manager Key management as separate service; prototype in Havana, incubation in Icehouse release of OpenStack* Secure OpenStack Clouds • Encrypt volumes, objects and communications Status and Next Steps • Barbican Key Manager: - • Integration with OpenStack authentication and authorization system • Immediate: Provide volume/block encryption Future • Creation and certification of public-private key pairs • Software support for periodic background tasks • Client component that can work against HSM • Examine KMIP • Leverage AES-XTS to enhance performance Building Blocks • Trusted Platform Module • Intel® Secure Key • Intel® AES-NI • New instructions and wider registers Security Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions
  13. 13. 13 OpenStack* Security Guide • OpenStack* services • Public and Private clouds • Security domains and bridges • Layered security • Secure node bootstrapping and hardening • Secure intra-service communication • Database security • Hypervisor selection • Trusted machine images • VM Migration • Logging • Identity management • Access control • Compliance & Audit Help update the Security Guide Security
  14. 14. 14 CPU Features Exposure Allows OpenStack* to have a greater awareness of the capabilities of the hardware platforms • Expose CPU features to OpenStack Nova scheduler • Use ComputeCapabilities filter to select hosts with required features - Security workload could run faster & more securely with Intel® AES-NI • Enables premium flavors - Enhanced capabilities for cloud customers - Enhanced revenue for cloud providers Intel® AES-NI = Intel® Advanced Encryption Standard New Instructions Image (Glance) Import host capabilities request via VM metadata Dashboard (Horizon) Expose Compute (Nova) Host capabilities discovery, reporting and filter enhancements Targeted for Havana and future OpenStack releases EPA
  15. 15. 15 PCI Express* (PCIe* ) Accelerator Exposure • OpenStack* updates to enable PCI Express* (PCIe*) Accelerators – Solution based on libvirt and KVM – Add PCIe device info to the libvirt driver – Extend Nova Scheduler to handle PCIe device allocation – Configure the VM for Deployment • Status – Code released to the community – Not yet integrated into the Havana release mainline – NIC SR-IOV Virtual Function allocation to a VM possible  Not a recommended use case  Additional OpenStack updates necessary for a robust solution Leverage PCI Express Accelerators to gain performance • Crypto speed-up, hardware-based trust, faster I/O SR-IOV = Single Root I/O Virtualization EPA
  16. 16. 16 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage – Intelligent Volume Scheduling – Erasure Code – COSBench • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  17. 17. 17 Intelligent Volume Scheduling - OpenStack* Cinder Maximize block storage efficiency by intelligently allocating volume based on workload and type of service required Example: Differentiated Service with Different Storage Backends • CSP: 3 different storage systems, offers 4 levels of volume services • Volume service criteria dictates which storage system can be used • Filter scheduler allows CSP to name storage services and allocate correct volume Intelligent Volume Scheduling is enabled in OpenStack* (Grizzly release)
  18. 18. 18 Erasure Code for OpenStack* Swift Access Tier (Concurrency) Capacity Tier (Storage) Clients Tri-replication pathErasure code path Saves disk space, does not impact QoS for hot objects • Swift uses tri-replication today (3x storage) • Add daemon on storage node • Scans all existing objects offline • Selects cold objects of large enough size • Replaces tri-replication algorithm with erasure code Collaborate on Erasure Code • CLDS007: “OpenStack Swift Erasure Code: A Smart Cloud Storage Solution“ Wednesday, 5PM, Rm 2005 •
  19. 19. 19 Introducing COSBench An Open Source Intel developed benchmarking tool to measure Cloud Object Storage (e.g., OpenStack* Swift) performance • Compare performance of cloud object stores • Evaluate internal options for software stacks • Identify bottlenecks and tune performance • Pluggable adaptors for different storage systems • Web-based UI • Real-time performance monitoring Throughput Response Time Bandwidth Success Ratio Download, Evaluate, Contribute
  20. 20. 20 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking – Intel® Open Network Platform • Enhancing OpenStack Data Collection • Intel® IT Open Cloud • Summary and Next Steps
  21. 21. 21 Intel® Open Network Platform (ONP), OpenStack* and SDN/NFV Framework Node NodeNode Node NodeNode Controller Controller OpenStack (Orchestrator) Network Applications Northbound API Southbound API e.g., OpenFlow*, Open vSwitch Network Appliance TOR Switch Cloud Server Virtual Switch EPC Media Gateway Neutron SDN/NFV; Software Defined Networking/Network Functions Virtualization Intel® ONP Switch Reference Design Intel ONP Server Reference Design Learn more about Intel ONP • CLDS006: “Extending Open Networking Platform (ONP) for the Next Generation Server Architectures“ Wednesday, 3:45PM, Rm 2005
  22. 22. 22 Agenda • Intel and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection – Multiple Publisher Support – Intelligent Workload Scheduling • Intel® IT Open Cloud • Summary and Next Steps
  23. 23. 23 Data Collection for Monitoring: Multiple Publisher (Ceilometer) Data Collector Transformer Pipeline Manager Transformer Metering Monitoring Publisher Publisher Publisher Transformer Facilitates transformation and publishing of metered data for consumption by various targets • Send/publish collected measurements to different endpoint/utility through different conduits with different format • Provides ability to store collected data in different data stores Targeted for OpenStack* Havana release • Create/add plugs-ins to store data in your own data stores
  24. 24. 24 Data Collection for Efficiency: Intelligent Workload Scheduling Enhanced usage statistics allow advanced scheduling decisions • Pluggable metric data collecting framework - Collects data via plug-ins - Sends data to notification bus for use by other OpenStack* components • Compute (Nova) - New filters / weighers for utilization-based scheduling Targeted for OpenStack* Havana release • Utilize pluggable framework to create/add your own plugs-ins to monitor network
  25. 25. 25 Agenda • Intel® and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  26. 26. 26 Intel IT Open Cloud • 77% Virtualized • 80% of new servers in the Cloud • Under 1 hour to deploy Infrastructure • Small number of SaaS apps in usage • Savings realized to date: $21M • Land Applications in minutes • Automation: lower cost w/ less resources • Open Cloud for bursting capacity • SaaS for non-differentiated apps (e.g. email) Today: Large Private Cloud, Limited Public Cloud Tomorrow: Hybrid Cloud Learn more on Intel IT Open Cloud • CLDS004 “Intel IT Open Cloud – What’s Under the Hood, and How Do We Drive It?” Wednesday, 5PM, Rm 2001
  27. 27. 27 Agenda • Intel® and OpenStack* • Enhancing OpenStack Compute • Enhancing OpenStack Storage • Enhancing OpenStack Networking • Enhancing OpenStack Data Collection • Intel IT Open Cloud • Summary and Next Steps
  28. 28. 28 Summary: Intel® Technologies & Solutions for OpenStack* Release Trusted Compute Pools (TCP) TCP With Geotagging • Place workloads and VMs in trusted pools of virtualized servers • Determine and control location of sensitive data in the cloud • Intel® TXT, Intel® VT FlexMigration Folsom Icehouse Key Manager • Manager for symmetric and public/private keys, certificates • Intel® AES-NI, Intel® Secure Key Havana/ Icehouse Enhanced Platform Awareness • Levering PCIe accelerator devices in cloud infrastructure, and enabling access to Intel® 64 instruction set extensions • Intel® QuickAssist, Intel AES-NI, Intel® AVX, AVX2, Intel® SSE4, Intel Secure Key Havana Erasure Code • Replacing tri-replication algorithm in Swift Havana Intelligent Volume Scheduling • Allocate block storage type of service required Grizzly Multiple Publisher • Transformation & publishing of metered data Havana Data Collection for Efficiency • Usage statistics for scheduling decisions Havana Open Network Platform • Framework for SDN/NFV • Intel® VT-d, Intel® DPDK, Intel® DDIO Open Attestation SDK • Remote attestation service for TCP Open Source COSBench • Object store performance characterization tool Open Source Intel® TXT = Intel® Trusted Execution Technology; Intel® VT = Intel® Virtualization Technology; Intel® AES-NI = Intel® Advanced Encryption Standard – New Instructions; Intel® AVX = Intel® Advanced Vector Extensions; Intel® VT-d = Intel® Virtualization for Directed I/O; Intel® DPDK = Intel® Data Plane Development Kit; Intel® DDIO = Intel® Data Direct I/O
  29. 29. 29 Read, Download, Get Involved • Compute - Open Attestation SDK: - OpenStack* on Intel® TXT (Fedora*): - Mechanisms to Protect Data in the Open Cloud: http://download- • Storage - COSBench: • Networking - Intel® Open Network Platform: • Intel IT use of OpenStack - Accelerating Deployment of Cloud Services Using Open Source Software: practices/accelerating-deployment-of-cloud-services-using-open-source-software.pdf Intel® Trusted Execution Technology (Intel® TXT)
  30. 30. 30 Legal Disclaimer INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. A "Mission Critical Application" is any application in which failure of the Intel Product could result, directly or indirectly, in personal injury or death. SHOULD YOU PURCHASE OR USE INTEL'S PRODUCTS FOR ANY SUCH MISSION CRITICAL APPLICATION, YOU SHALL INDEMNIFY AND HOLD INTEL AND ITS SUBSIDIARIES, SUBCONTRACTORS AND AFFILIATES, AND THE DIRECTORS, OFFICERS, AND EMPLOYEES OF EACH, HARMLESS AGAINST ALL CLAIMS COSTS, DAMAGES, AND EXPENSES AND REASONABLE ATTORNEYS' FEES ARISING OUT OF, DIRECTLY OR INDIRECTLY, ANY CLAIM OF PRODUCT LIABILITY, PERSONAL INJURY, OR DEATH ARISING IN ANY WAY OUT OF SUCH MISSION CRITICAL APPLICATION, WHETHER OR NOT INTEL OR ITS SUBCONTRACTOR WAS NEGLIGENT IN THE DESIGN, MANUFACTURE, OR WARNING OF THE INTEL PRODUCT OR ANY OF ITS PARTS. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined". Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: Intel, Xeon, Look Inside and the Intel logo are trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright ©2013 Intel Corporation.
  31. 31. 31 Legal Disclaimer • Intel® AES-NI requires a computer system with an AES-NI enabled processor, as well as non-Intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel® processors. For availability, consult your reseller or system manufacturer. For more information, see Intel® Advanced Encryption Standard Instructions (AES-NI). • Built-In Security: No computer system can provide absolute security under all conditions. Built-in security features available on select Intel® processors may require additional software, hardware, services and/or an Internet connection. Results may vary depending upon configuration. Consult your system manufacturer for more details. For more information, see • Intel® 64 architecture requires a system with a 64-bit enabled processor, chipset, BIOS and software. Performance will vary depending on the specific hardware and software you use. Consult your PC manufacturer for more information. For more information, visit • Intel® Secure Key Technology: No system can provide absolute security. Requires an Intel® Secure Key-enabled platform, available on select Intel® processors, and software optimized to support Intel Secure Key. Consult your system manufacturer for more information • Intel® Trusted Execution Technology (Intel® TXT): No computer system can provide absolute security under all conditions. Intel® TXT requires a computer with Intel® Virtualization Technology, an Intel TXT enabled processor, chipset, BIOS, Authenticated Code Modules and an Intel TXT compatible measured launched environment (MLE). Intel TXT also requires the system to contain a TPM v1.s. For more information, visit • Trusted Platform Module (TPM): The original equipment manufacturer must provide TPM functionality, which requires a TPM-supported BIOS. TPM functionality must be initialized and may not be available in all countries. • Intel® Virtualization Technology (Intel® VT) requires a computer system with an enabled Intel® processor, BIOS, and virtual machine monitor (VMM). Functionality, performance or other benefits will vary depending on hardware and software configurations. Software applications may not be compatible with all operating systems. Consult your PC manufacturer. For more information, visit
  32. 32. 32 Risk Factors The above statements and any others in this document that refer to plans and expectations for the third quarter, the year and the future are forward-looking statements that involve a number of risks and uncertainties. Words such as “anticipates,” “expects,” “intends,” “plans,” “believes,” “seeks,” “estimates,” “may,” “will,” “should” and their variations identify forward-looking statements. Statements that refer to or are based on projections, uncertain events or assumptions also identify forward-looking statements. Many factors could affect Intel’s actual results, and variances from Intel’s current expectations regarding such factors could cause actual results to differ materially from those expressed in these forward-looking statements. Intel presently considers the following to be the important factors that could cause actual results to differ materially from the company’s expectations. Demand could be different from Intel's expectations due to factors including changes in business and economic conditions; customer acceptance of Intel’s and competitors’ products; supply constraints and other disruptions affecting customers; changes in customer order patterns including order cancellations; and changes in the level of inventory at customers. Uncertainty in global economic and financial conditions poses a risk that consumers and businesses may defer purchases in response to negative financial events, which could negatively affect product demand and other related matters. Intel operates in intensely competitive industries that are characterized by a high percentage of costs that are fixed or difficult to reduce in the short term and product demand that is highly variable and difficult to forecast. Revenue and the gross margin percentage are affected by the timing of Intel product introductions and the demand for and market acceptance of Intel's products; actions taken by Intel's competitors, including product offerings and introductions, marketing programs and pricing pressures and Intel’s response to such actions; and Intel’s ability to respond quickly to technological developments and to incorporate new features into its products. The gross margin percentage could vary significantly from expectations based on capacity utilization; variations in inventory valuation, including variations related to the timing of qualifying products for sale; changes in revenue levels; segment product mix; the timing and execution of the manufacturing ramp and associated costs; start-up costs; excess or obsolete inventory; changes in unit costs; defects or disruptions in the supply of materials or resources; product manufacturing quality/yields; and impairments of long-lived assets, including manufacturing, assembly/test and intangible assets. Intel's results could be affected by adverse economic, social, political and physical/infrastructure conditions in countries where Intel, its customers or its suppliers operate, including military conflict and other security risks, natural disasters, infrastructure disruptions, health concerns and fluctuations in currency exchange rates. Expenses, particularly certain marketing and compensation expenses, as well as restructuring and asset impairment charges, vary depending on the level of demand for Intel's products and the level of revenue and profits. Intel’s results could be affected by the timing of closing of acquisitions and divestitures. Intel's results could be affected by adverse effects associated with product defects and errata (deviations from published specifications), and by litigation or regulatory matters involving intellectual property, stockholder, consumer, antitrust, disclosure and other issues, such as the litigation and regulatory matters described in Intel's SEC reports. An unfavorable ruling could include monetary damages or an injunction prohibiting Intel from manufacturing or selling one or more products, precluding particular business practices, impacting Intel’s ability to design its products, or requiring other remedies such as compulsory licensing of intellectual property. A detailed discussion of these and other factors that could affect Intel’s results is included in Intel’s SEC filings, including the company’s most recent reports on Form 10-Q, Form 10-K and earnings release. Rev. 7/17/13
  33. 33. 33 Backup
  34. 34. 34 Trusted Geolocation Preview • Determine and control location of server with sensitive information in the cloud • Server location information added to server root of trust • Three main phases: 1. Platform Attestation and Safe Hypervisor launch 2. Trust-based Secure Migration 3. Trust- and Geolocation-based Secure Migration
  35. 35. 35 Key-Manager Cinder Keys Glance Keys OpenStack Service Swift/Cinder/ Glance/Keystone ) TPM Key Creation and Storage Random Number Generator (keys random) Storage (master keys) put(key-id, enc-key-str) get(key-id) enc_key_str success Keystone Keys Swift Keys <key-id, enc-key-str, descriptors> Swift authentication token, access Swift keys Descriptors Creation-time, Expire-time, Num-uses, Type: public/private/ symmetric/unknown (encrypted) communication Formatter KMIP
  36. 36. 36 Implementation Example ONP Switch ONP Server OS / Hypervisor DPDK Accelerated Open vSwitch vEPC CDN CDN Billing ONP Server OS / Hypervisor DPDK Accelerated Open vSwitch vEPC vEPC vEPC Forecast ONP Server OS / Hypervisor DPDK Accelerated Open vSwitch vEPC vEPC CDN Analytics Controller