Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenNebulaConf 2016 - Security, Federation & Hybrid Hands-on Workshop by Carlos Martin, OpenNebula


Published on

In this 90-minute hands-on workshop, some of the key contributors to OpenNebula will walk attendees through the configuration and integration aspects of the federation, hybrid and authentication subsystem in OpenNebula. The session will also include lightning talks by community members describing aspects related to Security, Federation & Hybrid with OpenNebula:

- Deployment scenarios
- Integration
- Tuning & debugging
- Best practices

Published in: Technology
  • Be the first to comment

OpenNebulaConf 2016 - Security, Federation & Hybrid Hands-on Workshop by Carlos Martin, OpenNebula

  1. 1. Carlos Martín OpenNebula Software Engineer Security, Federation & Hybrid Workshop OpenNebulaConf 2016 4th edition
  2. 2. Agenda for the Workshop ● Infrastructure integration levels ○ Federation ○ Hybrid: OpenNebula - OpenNebula ○ Hybrid: OpenNebula - other technologies ● Security & Authentication
  3. 3. Federation
  4. 4. Data Center Federation Overview What is OpenNebula Federation? ● Tightly coupled integration of 2 or more OpenNebula instances ● Each instance of the Federation is called a Zone ● One master and several slaves. ● Zones share the user accounts, groups, and permissions configuration ● A vDC is a group of users with part of the physical resources, generally one or more clusters belonging to one or several zones, assigned to them ● Seamless for Cloud users: ability to switch the active Zone in Sunstone
  5. 5. Data Center Federation Let’s see a demo!
  6. 6. Under the Hood Inner Workings of Federation ● Master and slaves share DB tables: users, groups, ACL rules, zones ● Only master writes to shared tables. ● Slaves keep a read-only local copy, and proxy writing ops to the master ● Sync is achieved configuring MySQL to replicate certain tables only ● Performs well over long-distance/bad quality connections ● If master zone fails, slaves continue to work, except for new user creation or password updates, etc. ● Slaves can be added at any moment (import or new) ● Support of different OpenNebula versions ● Sunstone server is connected to all the oned daemons in the Federation ● One Sunstone for the entire Federation, or one Sunstone per Zone
  7. 7. Architecture
  8. 8. Configuration ● Enable Federation Mode = Master in the master’s oned.conf ● Define the master’s xmlrpc endpoint: onezone update 0 ● Create a zone for every slave (name and endpoint) ● Importing from existing slave: onedb import-slave ● Select merging policy +----------+-------------++------------+---------------+ | Master | Slave || With merge | Without merge | +----------+-------------++------------+---------------+ | 5, alice | 2, alice || 5, alice | 5, alice | | 6, bob | 5, bob || 6, bob | 6, bob | | | || | 7, alice-1 | | | || | 8, bob-1 | +----------+-------------++------------+---------------+ ● Configure MySQL Replication Master and Slave ● Copy auth directory from master to slaves: /var/lib/one/.one_auth
  9. 9. Hybrid OpenNebula - OpenNebula
  10. 10. Hybrid Cloud Computing (Cloud Bursting) ● VMs can be local or remote ● VM connectivity has to be configured, usually VPNs ● External Cloud are like any other host ● Placement Constraints ● Hybrid Cloud drivers
  11. 11. Hybrid Drivers NEW!
  12. 12. Installation ● New drivers are available as an addon: ● Install and enable drivers in oned.conf ● Configure remote user credentials ● Add hybrid Host ● Fully supported in Sunstone!
  13. 13. Hybrid: OpenNebula - OpenNebula Let’s see a demo!
  14. 14. ● Several hybrid OpenNebula’s are supported ● Limit CPU and MEMORY with quotas ● Admin can define: ○ access to physical infrastructure ○ access to VM Templates Configuration
  15. 15. Hybrid OpenNebula - vCloud Jordi Guijarro Cloud & Security Manager, CSUC
  16. 16. Security & Authentication
  17. 17. Authentication Drivers User Authentication Drivers ● Can be used to: ● Allow/deny access ● Automatically create OpenNebula users (there is no need to import and sync LDAP users, for example) ● Each user can have a different authentication driver ● oned xml-rpc protocol remains untouched: seamless integration with CLI, OCA, Sunstone… ● Even with external authentication, OpenNebula user objects are needed to keep track of resource ownership, usage, and quota limits ● OpenNebula will cache the successful authentication tokens for a while to reduce the driver workload. This can be adjusted or disabled in oned.conf ● A default driver can be configured for unknown usernames
  18. 18. Authentication Drivers Authentication driver scripts ● authenticate ● From the session string “username:secret”, returns 0 or -1 to grant or deny access ● New usernames will be added as OpenNebula users if the driver prints to stdout ‘drivername username password’ ● New in 5.2! The driver can return a list of groups that the user belongs to. The OpenNebula user group list is updated. You can manage group ownership in your LDAP and OpenNebula will mirror the changes
  19. 19. Admins have many hats! Tell OpenNebula the one that’s on your head Login Tokens What is it? ● A temporary password with an expiration date ● New in 5.2! A token can have an effective group Effective group ● Filters all resources to show the ones in the defined group. For instance: Focus your work on group ‘production’ or ‘development’
  20. 20. Authentication in Sunstone ● Basic user / password ● x509 certificates, managed by the browser ● Remote auth: Do not miss the user workshop on Wednesday OpenNebula Sunstone integration with FreeIPA using Single Sign On Álvaro Simón, Ghent University
  21. 21. OpenNebulaConf 2016 4th edition Platinum Gold Silver Community THANKS!
  22. 22. Some Colored Text Boxes Sample Colored TexBox Addresses Space (multiple, disjoint ranges) ● IPv4 ● IPv6 (Global & ULA) ● Ethernet - MAC addresses Security Groups ● Managed as a separate entity ● Inbound & Outbound, TCP/UDP/ICMP Custom Tags Configuration & Physical Attributes ● Network specific (e.g. BRIDGE, VLAN_ID) ● VM Context (e.g. DNS, GATEWAY) VirtualNetworkDefinition
  23. 23. Sample Text Boxes Virtual Machine Configuration (L3 - L4 - L5) ● Context CD-ROM ISO with network information ● Stock guest packages include support for IP, GATEWAY, DNS, NETWORK_MASK but easily extensible ● NFV not imposed nor required (e.g. DHCP server per net) but supported. Require as less as possible, accommodate any topology