Transcription
Introduction to OpenStackPrivate Cloud
In this guideIn this e-guide:Get your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentPage 1 of 17As the private cloud market is heating up, there are two clearplayers leading the way: VMware and OpenStack. However,due to the VMware tax, along with rising performance issues,many IT professionals are flocking to the attractive, lower-costalternative.In this exclusive e-guide, find out what sets OpenStack apartfrom its competitors, how to find out which OpenStack cloudservice is right for your organization, and the steps to take toovercome its common security challenges.
In this guideGet your head in the cloud:Intro to OpenStackcomponentsGet your head in the cloud: Intro toOpenStack rget.com/tip/Get-your-head-in-the-cloud-Navigating the OpenStackservices mazeIntro-to-OpenStack-componentsOvercome the most pressingOpenStack security challengesAs more and more businesses consider the different options for a private cloudplatform, it's important to know what distinguishes open source OpenStack fromGetting more PRO exclusivecontentother popular cloud computing software on the market. In this article, I willattempt to explain what OpenStack is and what it is not, and explore someessential OpenStack components without getting bogged down in technicaldetails.The OpenStack ecosystemOpenStack is very similar to Amazon EC2 in that both platforms allow users toprovision VMs from a dashboard or API. The key difference between theseproducts -- other than the fact that OpenStack is free -- is that Amazon EC2 is apublic cloud service, while OpenStack allows you to build your own privatecloud or subscribe to an OpenStack public cloud vendor.Page 2 of 17
In this guideOpenStack is not a hypervisor, but it is designed to work with a number ofdifferent hypervisors. Users have the option of deploying a hypervisor on theGet your head in the cloud:Intro to OpenStackcomponentsmachine or an OS that has a built-in hypervisor, like Linux KVM. With theOpenStack bare-metal provisioning project, Ironic, users can push VMs ontoNavigating the OpenStackservices mazebare-metal servers.Overcome the most pressingOpenStack security challengesThere are many OpenStack components, some of which I've listed below:Getting more PRO exclusivecontentHorizon (dashboard) provides a Web-based user interface for OpenStackservices.Nova (compute) includes the controller and compute nodes. These fetch VMimages from OpenStack's image service and create a VM on the target server.There are different APIs for different platforms, such as XenAPI, VMwareAPI,libvirt for Linux KVM or QEMU, API for Amazon EC2 and Microsoft Hyper-V.Neutron (networking) creates virtual networks and network interfaces, andattaches to many proprietary vendor networking products.Swift (object storage) operates like Amazon S3, meaning individual objects,like an image, are retrieved using REST Web services.Page 3 of 17
In this guideCinder (block storage) includes disk files, like logs and more. Compared toobject storage, which only allows you to replace files, block storage allows youGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentto append files.Keystone (identity storage) grants users and processes access to differentOpenStack tools based on an authentication token that Keystone generates.Glance (image service) generates VM images. This is where the idea ofOpenStack as a cloud operating system really manifests itself: Since imagescan be all kinds of VMs, this means there will be many different versions acrossdifferent platforms, all dispatched from a common source. Glance is thecatalogue of VMs you have uploaded and made available to your organization.Trove (database server) provides support for different databases.Page 4 of 17
In this guideGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentPage 5 of 17
In this guideOpenStack components use different variations of MySQL databases, messagequeue servers and Python to carry out their work. OpenStack even gives you aGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentPython command-line interface (CLI). I've included some sample commandsbelow to help get you started.You can use the following command to download Keystone from public Linuxrepositories:apt-get install keystone python-keystoneclientTo then create users on Keystone, use the command shown below:keystone user-create --name Sam --description "Sam"To list VM images with Nova, enter the following command:nova image-listTo open a Python shell, type "python" and then a command such as the onebelow:from keystoneclient.v2 0 import clientPage 6 of 17
In this guideYou can then start creating users and granting permissions, one interpretedcommand at a time.Get your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeNot familiar with Python? Never fear -- OpenStack gives you the option of usingeither the Python CLI or the point-and-click dashboard.OpenStack as an open source platformOvercome the most pressingOpenStack security challengesRackspace and NASA developed OpenStack and then gave it away as an openGetting more PRO exclusivecontentsource platform. This, of course, means any programmer may write newroutines or fix existing ones and then view those changes in the source codewith Github. Most OpenStack contributors work for big corporate sponsors, suchas Rackspace. Another major sponsor, PayPal, uses OpenStack to power itsplatform.There are numerous OpenStack projects, many of which are specialty projects,such as bare-metal installations. Most users don't even need the OpenStacksource code, as OpenStack is available through compiled Python packages,which can be installed with the apt-get tool.Page 7 of 17
In this guideIf you're interested in learning more about OpenStack or testing out OpenStackcomponents, OpenStack offers a development version. So turn your architectsGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentand programmers loose on OpenStack -- or try it out yourself -- to see how itmight fit into your organization.To get started, you can follow our written set of instructions for installingOpenStack on a single Ubuntu desktop. Or, you can use Canonical'sOpenStack Autopilot wizard to deploy OpenStack on.Navigating the OpenStack services /Navigating-the-OpenStack-servicesmazeFor IT staff looking to deploy cloud, OpenStack offers a lot of options. The opensource cloud platform has a broad set of features, many of which can helporganizations meet their cloud needs. But deciding which, out of the more than25, OpenStack services will best suit your cloud environment can be tough.Page 8 of 17
In this guideAdding to the confusion are the hundreds of vendors that support OpenStack,offering a variety of distributions and additional tools and features. Meanwhile,Get your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazehybrid cloud adoption makes all of this more complex and exciting. In addition tothe challenges of building an OpenStack-based private cloud, hybrid cloudintroduces new hurdles, such as bridging servers, networks and storage acrossclouds environments.Overcome the most pressingOpenStack security challengesMatching the right OpenStack services to your cloud needsGetting more PRO exclusivecontentLet's tackle the simpler task first -- building a private cloud with OpenStack. Thefirst issue admins face is choosing from the wide range of OpenStack cloudservices available. Luckily, OpenStack has released a tool, called ProjectNavigator, that helps organizations determine which OpenStack services theyneed to build a cloud for a particular use case, such as Web serving.The Navigator pulls together a dashboard of status information on eachOpenStack project module. It also shows project maturity, which is essential,since new modules are added regularly. The tool breaks out OpenStackservices into six core modules that all OpenStack clouds should use, and thenoptional services for specific cloud use cases.Page 9 of 17
In this guideThis categorization is likely to change over time, as more of these "optional"services reach full maturity. At that point, more OpenStack services -- such asGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentthe Horizon Dashboard, Heat Orchestration, Magnum Containers, CongressGovernance and Barbican Key Management -- may enter the core service pack.By providing details on OpenStack services, Navigator helps admins makedecisions about specific workloads or use cases -- but OpenStack configurationhelp doesn't stop there. There are also sample OpenStack configurations aimedat making sandboxes easy to implement. These sample configurations arebased on the experience of major OpenStack contributors, such as CERN.Using OpenStack services for hybrid cloudFor reasons such as cloud bursting or backup, most organizations want to useboth private and public cloud. So, while Navigator is an excellent way to kickstart a private cloud implementation, it might not be enough for hybriddeployments.When you cut through all the hype, it's still more difficult to build a hybrid cloudthan it is to deploy a private or public cloud separately. This is because hybridcloud requires networking structures that cut across the boundary betweenPage 10 of 17
In this guidepublic and private, as well as storage systems that are positioned to getperformance from either.Get your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentThese concepts are still in their early days, and pose some fundamentalchallenges. For instance, slow wide area network speeds make it difficult forpublic cloud instances to read data in private clouds. What's more, some largerenterprises split their private cloud deployment into different geographic zones,which have to be federated together with public cloud zones.For an OpenStack hybrid cloud, it's essential to bridge VLANs between cloudenvironments, while maintaining security and authentication. There are sometechnologies, such as OpenContrail, that can help.Despite the challenges, there are still options for creating a hybrid cloud withOpenStack services. For instance, some organizations use OpenStack andAmazon Web Services (AWS), as OpenStack Heat scripts are very similar toAWS scripts.The future of hybrid cloud will evolve with software-defined infrastructure (SDI).SDI plays to the advanced orchestration that will bind federated cloud segmentsPage 11 of 17
In this guidetogether. With the control plane services abstracted in SDI, it is possible to buildhigher-level APIs to allow seamless cloud-to-cloud operation.Get your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesWe are still some time away from having a fully automated orchestrationprocess that handles apps and data, as well as platforms. This is one of themost interesting parts of the cloud evolution and it's getting plenty of focus fromdevelopers. As a result, using OpenStack services in a hybrid cloudenvironment should become less painful over time.Getting more PRO exclusivecontentOvercome the most pressing OpenStacksecurity providersOpenStack adoption continues to grow, with major companies including PayPal,Walmart, eBay and AT&T now using the open source cloud platform. But likeany new technology, committing to OpenStack can introduce potential securityrisks, such as the recently discovered Secure Socket Layer vulnerability. AndPage 12 of 17
In this guidewhile OpenStack has created a Vulnerability Management Team, along with a200-page guide to OpenStack security, to protect against these risks, it's stillGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentimportant for users to build their own OpenStack security strategy.Building a cloud is not the same as creating a traditional IT cluster. For instance,the number of sockets needed to support the scalability of a large clouddeployment can introduce certificate management issues that slow downoperations. And with OpenStack, the range of cloud services is broad, includingmessaging queues, access and configuration policies, logging services andvarious other modules.In many ways, the world of cloud security is different than traditional firewallmanagement, switch and router control and load balancers. The cloud flattensthe network topology, and almost everything is virtual. In addition, the number ofsecurity tokens can be staggering, authentication certificates can run into themany thousands and the number of sessions being generated in Secure SocketLayer is much higher. Any one of these components can create a vulnerabilitypoint.Page 13 of 17
In this guideGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentExploring the top OpenStack security challengesWith OpenStack, the cloud security challenge is compounded because thetechnology is a work in progress. Some of the tools have deficiencies that needto be addressed. For instance, Horizon, the OpenStack dashboard, is missingtwo-factor authentication. Horizon is a Web-based solution that is both adminand tenant-facing. It's a powerful tool for managing cloud resources, but anyvulnerability could impact a large number of users, making this a hot target forhackers. Keystone, the OpenStack authentication service, is pluggable formultiple forms of authentication, so an admin setting up this module should aimfor the most robust system possible.There are other OpenStack security factors to consider. For example, becauseof OpenStack's modularity, log structures vary, which makes it difficult to provecompliance and secure operations during an audit. While the audit process forany cloud can be a challenge, it should be done regularly. For OpenStack, anaudit should involve validating Keystone's integrity, and looking at patching andlevels for code and policies. Log mining using Splunk or other tools makes iteasier to audit log activities, though monitoring capabilities, such as thoseprovided by a dashboard like CERN's Lemon, are also useful. Tools like Puppetcan also help simplify deployments.Page 14 of 17
In this guideGet your head in the cloud:Intro to OpenStackcomponentsBest practices for OpenStack securityWhen deploying an OpenStack-based cloud, there are general best practicesNavigating the OpenStackservices mazeorganizations can follow to protect their environment from threats.Overcome the most pressingOpenStack security challengesFor instance, because there are many OpenStack authentication certificates, it'stempting to give them long lifespans, but with a flattened system likeGetting more PRO exclusivecontentOpenStack, it is dangerous to do so; a single security failure can lead to wideexploits. It's a best practice to keep certificate lifespans as short as possible.In addition, most OpenStack operations are driven by policies. At low andmedium scale, this is easy to manage, but at a larger scale, it's difficult tomaintain consistent policy levels across all instances. The rapid pace ofevolution within the OpenStack module family makes manual managementdifficult, so use a protocol management tool to avoid errors. Exploits that attackclusters by looking for down-level services are common, and as future policiesstart to control software-defined infrastructures as well as instancemanagement, we can expect this to become even more fertile ground forhackers.Page 15 of 17
In this guideOrganizations should ensure that access to the OpenStack control plane isrestricted and well protected. The data plane is another matter; encrypt all dataGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentat the source and maintain that encryption at rest.Despite potential risks, an OpenStack private cloud can have securityadvantages over the public cloud. Generally, access to the private cloud ismuch more restricted, and organizations can deploy detection tools, such asthose for file and deep packet inspection, data loss prevention and intruderdetection, to improve security.Still, given all the challenges of multi-tenancy, most public cloud providers havedeveloped an aggressive security approach that can lend best practices andtools to the OpenStack community. The maturity of public cloud providers likeAmazon Web Services (AWS) and Azure means they've already fought, andwon, many hacker attacks.OpenStack security is maturing fast. It should end up at the same level as allthree major public clouds -- AWS, Azure and Google -- and benefit from beingdeployed in private environments, where additional tools can restrict dataaccess.Page 16 of 17
In this guideGet your head in the cloud:Intro to OpenStackcomponentsNavigating the OpenStackservices mazeOvercome the most pressingOpenStack security challengesGetting more PRO exclusivecontentGetting more PRO exclusive contentThis e-guide is made available to you, our member, through PRO Offers—acollection of free publications, training and special opportunities specificallygathered from our partners and across our network of sites.PRO Offers is a free benefit only available to members of the TechTargetnetwork of sites.Take full advantage of your membership by visitinghttp://pro.techtarget.com/ProLP/Images; Fotalia 2016 TechTarget. No part of this publication may be transmitted or reproduced in any form or by any means withoutwritten permission from the publisher.Page 17 of 17
OpenStack is not a hypervisor, but it is designed to work with a number of different hypervisors. Users have the option of deploying a hypervisor on the machine or an OS that has a built-in hypervisor, like Linux KVM. With the OpenStack bare-metal provisioning project, Ironic, users can push VMs onto bare-metal servers.
