OVN (Open Virtual Network) を用いる事により、OVS (Open vSwitch)が動作する複数のサーバー(Hypervisor/Chassis)を横断する仮想ネットワークを構築する事ができます。
本スライドはOVNを用いた論理ネットワークの構成と設定サンプルのメモとなります。
Using OVN, you can build logical network among multiple servers (Hypervisor/Chassis) running OVS (Open vSwitch).
This slide is describes HOW TO example of OVN configuration to create 2 logical switch connecting 4 VMs running on 2 chassis.
Open vSwitch is an open source virtual switch software that is compatible with the Linux standard bridge. The presentation will provide an overview of Open vSwitch, how to use its basic functions such as setting up bridges and ports, and its data structure that is managed in an ovsdb database.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
OVN (Open Virtual Network) を用いる事により、OVS (Open vSwitch)が動作する複数のサーバー(Hypervisor/Chassis)を横断する仮想ネットワークを構築する事ができます。
本スライドはOVNを用いた論理ネットワークの構成と設定サンプルのメモとなります。
Using OVN, you can build logical network among multiple servers (Hypervisor/Chassis) running OVS (Open vSwitch).
This slide is describes HOW TO example of OVN configuration to create 2 logical switch connecting 4 VMs running on 2 chassis.
Open vSwitch is an open source virtual switch software that is compatible with the Linux standard bridge. The presentation will provide an overview of Open vSwitch, how to use its basic functions such as setting up bridges and ports, and its data structure that is managed in an ovsdb database.
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
Keystone supports four different types of tokens, UUID, PKI, PKIZ, and Fernet. Let’s take a deep dive into:
Understanding token formats
Pros and Cons of each format in Production
Performance across multiple data centers
Token revocation workflow for each of the formats
Horizon usage of the different token types
We previously deployed UUID and PKI in Production and are now moving towards the latest format, Fernet. We would like to share our lessons learned with different formats and help you decide on which format is suitable for your cloud.
Keystone is the identity service for OpenStack. It handles authentication, authorization, and managing service catalogs and endpoints. Keystone provides a user directory and authentication mechanism for other OpenStack services to use. It supports user management, project/tenant isolation, role-based access control and token validation. Keystone uses pluggable backends like SQL, LDAP or Memcached to store user and credential data.
This document provides an overview of Keystone, the OpenStack identity service. It discusses key Keystone concepts like projects, domains, actors (users and groups), service catalogs, and identity providers. It also covers token types in Keystone including UUID, PKI, and Fernet tokens. The document outlines Keystone's architecture and APIs. It describes how tokens are used to authenticate to OpenStack services and how the service catalog provides endpoint information. Troubleshooting tips are also provided like checking Keystone logs and enabling debug output.
The document discusses the components of OpenStack Nova and their roles. It describes nova-api, nova-conductor, nova-scheduler, and nova-compute.
Nova-api handles user requests and initiates orchestration activities. Nova-conductor acts as an intermediary between the database and compute nodes. Nova-scheduler determines which compute node to place new instances on. Nova-compute runs on compute nodes and creates/terminates VMs using hypervisor APIs.
데코레이터 함수는 다른 함수의 동작을 수정하거나 확장할 수 있는 함수입니다.
데코레이터 함수는 주로 다음과 같은 용도로 사용됩니다:
- 로깅, 메트릭 수집 등 추가 동작 수행
- 예외 처리
- 권한 확인
- 테스트 목적
OpenStack에서 데코레이터 함수는 주로 다음과 같이 사용됩니다:
1
Keystone is the OpenStack identity service that provides user, project and service catalog management. It implements the OpenStack Identity API. Keystone has four internal services - Identity, Token, Catalog and Policy. It uses a pluggable backend architecture that allows different storage backends. Keystone provides authentication for users and services in OpenStack and maps users to their authorized projects and roles.
DMMは日本で最大級の動画配信サービスを提供しています。
昨今はニーズの多様化と高品質への対応が急務となっており、動画配信基盤の刷新に取り組んでいます。モノリシックなシステムをマイクロサービス化すべく、Ruby on Rails・AngularJS・Go を利用しています。本セッションでは、それらのアーキテクトや開発フローについて判りやすく説明します。
Windows Server and Docker - The Internals Behind Bringing Docker and Containe...Docker, Inc.
Docker leverages capabilities in Linux like namespaces and cgroups to enable containers and then builds tooling on top to enable users to build distributed apps. A common question is "What about Docker support for Windows?" In this session the Windows engineering leads will dive deep into the primitives within Windows to enable an awesome Docker experience on Windows. This session will also include a live demo of Docker and Windows Server.
OpenStack is an open source cloud operating system that provides on-demand provisioning of compute, storage, and networking resources. It consists of several interconnected components that are managed through a dashboard interface. The key components include Horizon (dashboard), Keystone (authentication), Swift (object storage), Glance (image repository), Nova (compute), Quantum (networking), and Cinder (block storage). Nova is responsible for running virtual machine instances by retrieving images from Glance and scheduling instances on compute hosts using the Nova scheduler. The Nova scheduler uses filters and weights to determine the most suitable host for an instance based on availability, capabilities, and load.
This document summarizes a presentation about React Native given at DroidKaigi 2017. It discusses how React Native allows building native Android and iOS apps using React by rendering UI components to native platform views. It describes how React Native maps React components to native platform views, implements native modules to access platform features, and uses the JavaScript bridge to allow calling native code from JavaScript. It highlights how React Native enables writing once and deploying to both Android and iOS with shared JavaScript code.
『OpenStackの導入事例/検証事例のご紹介』 NTTドコモ様 検証事例:OpenStack Summit 2014 Paris 講演「Design ...VirtualTech Japan Inc.
『OpenStackの導入事例/検証事例のご紹介』NTTドコモ様 検証事例:OpenStack Summit 2014 Paris 講演「Design and Operation of OpenStack Cloud on 100 Physical Servers (NTT DOCOMO)」
講師:伊藤 宏通(日本仮想化技術 CTO)
先日パリで開催したOpenStack Summit 2014 Parisで講演した内容を日本語でお伝えいたします。
You will face many problems when you start designing your OpenStack Cloud because of a lack of full design architecture information. For example, there are many Neutron plugins, but it is difficult to choose the best plugin and its configuration to get a high throughput of a Virtual Machine (VM) and achieve a High Availability (HA) of L3 Agent. Also, we couldn’t find information for how much computing resource (CPU, Memory and HDD) is required for management and operation servers (e.g. API, RabbitMQ, MySQL and Monitoring etc.).
We built OpenStack Icehouse Cloud on 100 physical servers (1600 physical cores) without using commecial software, and did several performance and long-run tests to address these problems.
In this talk, we will present performance comparison of Neutron ML2 plugin implementations (Open vSwitch and Linux Bridge), tunnelling protocols (GRE and VXLAN) and physical network configurations (Network Interface Bonding and Server Side Equal Cost Multi Path) to achieve 10Gbps at a VM, and the L3 Agent HA we implemented. Also, we will present how much computing resource we used and each server loads to operate the cloud. Finaly, we will share our Ansible Based OpenStack deployment and management tool.
Key topics include:
- Performance comparison of OSS Neutron ML2 plugins (Open vSwitch and Linux Bridge) and tunneling protocols (GRE and VXLAN)
- Performance comparision of redundant network configurations (Network Interface Bonding and Server Side Equal Cost Multi Path)
- HA of L3 Agent (ACT/STBY) we implemented
- Ansible based deployment/operation tools
- Items we must watch for OpenStack operation
- Hardware specifications and resources we used to operate the Cloud
We will share a full design architecture and hardware sizing information for a large scale cloud and prove OSS based Neutron can handle a hundred servers.
2. My material
本資料は、OpenStack Summit Austinのセッション
“Get Ready for Fernet Tokens(https://www.youtube.com/watch?v=702SRZHdNW8&feature=share)”
を下記の点を中心に自分なりに噛み砕き、まとめた資料である。
● 「なぜ必要か」
● 「Fernet Tokenはどんなものか」
● 「実際にどのように使われているか(ユーザ事例)」
[参考]上記セッション以外に、参考にしたfernet tokenに関する記事
OpenStack Tokyo Summit http://www.slideshare.net/priti_desai/deep-dive-into-keystone-tokens-and-lessons-learned
IBM Open Tech blog https://developer.ibm.com/opentech/2015/11/11/deep-dive-keystone-fernet-tokens/
OpenStack Wiki FAQ http://docs.openstack.org/admin-guide/keystone_fernet_token_faq.html
7. Fernet Token Validation
fernet key
repository
keystone-manage
● fernet_setup
● fernet_rotate
Get the key for encryption/sign
(local)
decrypt token
determine the version
from payload (what scope)
fernet token
Keystone
Disassemble payload
(user id, project id….)
Expire ?
or
Revoked ?
If error:
Token is invalid
Token is valid
Token is invalid
Operator
User
8. Life of encryption key
● ユーザ情報などをTokenに埋め込むが、「暗号化」しているのでTokenが漏れても
ユーザ情報がもれないようにしている
○ Fernet Keyは256bit ( encryption部128bit / sign部128bit)
○ 鍵は定期的に変更した方が、安全性を高められる
● 鍵をRotationさせて、定期的に変更させる仕組みがある。
9. Life of encryption key on Cluster
node1 node2 node3
Staged Key: next primary key
↓
Primary Key: encrypt and decrypt
↓
Secondary Keys: decrypt only
↓
Remain or Delete
max_active_keys = 3
Staged
Primary
鍵の生成
keystone-manage
fernet_setup
鍵のコピー
(rsync/orchestration tool)
1
2
10. Life of encryption key on Cluster
node1 node2 node3
Staged Key: next primary key
↓
Primary Key: encrypt and decrypt
↓
Secondary Keys: decrypt only
↓
Remain or Delete
max_active_keys = 3
Staged
Secondary
鍵のコピー
(rsync/orchestration tool)
4
Primary
鍵のローテーション
keystone-manage
fernet_rotate
3
Primary
Staged
Previous
11. Time warner cableの導入事例のFeedback(1/2)
● 環境
○ Mutli Region (Galera Cluster)
○ dockerでデプロイしている (全部か一部かは、不明 )
○ Liberty Keystone + mixed version other service
○ Fernet tokenを2015年7月から利用
● KeystoneのUpgradeに使用したPlaybook
○ https://github.com/matthewfischer/ansible/tree/master/keystone-upgrade
● Libertyでは、数秒の断タイムで切り替え可能
● Kilo → Libertyで、Fernet Tokenのフォーマットに変更があった
○ Kiloの人は、Libertyまで待った方がいい
● Key rotationにkeystone-manageは使っていない
○ EYAML (Yamlを暗号化したもの)にkeyを入れたPuppetで配布
○ Keyの変更は、Gerritでreviewしてる
■ Keyのformatチェックなどが、目的ではなく。 Over Rotationを避けることが目的
● Over Rotationとは、tokenのexpireより前に、tokenの復号鍵がRotationにより消失すること