- OpenStack Cloud Security
- Fabio Alessandro Locati
- 1567字
- 2021-07-16 13:28:19
The OpenStack structure
OpenStack is an orchestration suite to create clouds mainly focused to create Infrastructure as a Service (IaaS) solutions. OpenStack has multiple components, each one aiming to provide a piece to the cloud. As I write, last OpenStack stable version is Juno that has the following components:
OpenStack Compute Service – Nova
Computing is one of the core parts of any IaaS solution, as well as OpenStack. This is also one of the two oldest modules of OpenStack, since it has been part of the project since its first version, Austin, which was released in October, 2010. Nova derives from NASA's Nebula platform.
Nova is a cloud computing fabric controller. It is designed to manage and automate pools of computer resources and can work with many hypervisors such as KVM, VMware, and Xen.
It is written in Python and uses many external libraries. Nova was created with horizontal scalability in mind; in fact, it's able to scale horizontally on commercial off-the-shelf (COTS) components. This allows you to keep the hardware costs down and to easily integrate with legacy hardware.
Starting from the Havana release, Nova is able to run docker containers directly, but due to some Continuous-Integration problems, this feature will be in the main source code only since the Kilo release.
Nova can be compared to Amazon's Amazon Elastic Compute Cloud (EC2). As for the Docker addition in Kilo, Amazon provides the AWS Elastic Beanstalk service.
OpenStack Object Storage Service – Swift
The other component available since the first release of OpenStack is Swift, a scalable redundant storage system. Swift was developed in the first place by Rackspace Hosting itself and derives from the Rackspace expertise, and is built for creating and managing the Rackspace Hosting Cloud File service. Currently, Swiftstack is leading the development of Swift.
Swift is an object storage capable to ensure data integrity, thanks to its ability to write the files to multiple disks spread throughout the nodes in the cluster. Swift is also able to manage multiple regions for the same pool, so it's possible to create real-time, off-site replicas of data to prevent possible data losses in case of problems in the main region.
Due to its design, Swift—like Nova—is created with horizontal scalability in mind, and works with COTS components.
Swift can be compared to Amazon's Amazon Simple Storage Service (S3).
OpenStack Image Service – Glance
Glance has been added in the second release of OpenStack (Bexar), and since its first version, it has greatly improved. Glance is useful to save disk and server images to make the users able to run multiple equal servers without having to reconfigure them each time.
The purpose of Glance is to help you manage the Nova images in a simpler and more efficient way. In fact, Glance allows you to use the images as templates for new instances, take snapshots, and backups.
Glance is not a storage service for those images and can rely on multiple storage services, such as the OpenStack Object Storage Service. Due to this fact, Glance can be easily integrated with the current storage architecture and can contain a large number of images, based on the amount of free space available in your backend storage.
Glance provides a REST API interface to integrate with other components to allow other components to manage (indirectly) machines, images, and templates.
Glance can be compared to Amazon's Amazon Machine Image (AMI) system.
OpenStack Dashboard – Horizon
Horizon is the OpenStack dashboard and can help users to handle OpenStack resources without the need for command-line access. Horizon has been added in Essex, the fifth release of OpenStack.
Horizon is a web interface for OpenStack and all components of OpenStack can be managed in Horizon. This allows OpenStack end users to access their account and to manage their OpenStack resources without the need of a system administrator and of connecting via terminal to the cluster. This improves OpenStack security.
Horizon is designed to allow easy integration with other products and services, in order to allow an easy deployment and usage with third-party software.
Horizon can be compared to Amazon's AWS Management Console.
OpenStack Identity Service – Keystone
Keystone is the identity server of OpenStack. It has been added to OpenStack in Essex.
Keystone is a service that catalogs the available API endpoints and allows a centralization of user permissions in OpenStack. Due to the high sensibility of these information, it will be very costly and unsafe to let each component manage them. To do so, Keystone keeps all information in a secure way and all the other components that need them will be able to access it using the Keystone REST API. Keystone allows multiple authentication methods such as username and password, token-based system and Amazon Web Services (AWS) login.
Keystone supports multiple backends to store this data, such as LDAP.
Keystone can be compared to Amazon's AWS Identity and Access Management (IAM).
OpenStack Networking Service – Neutron
In Folsom (the sixth release of OpenStack), a networking module called Quantum has been added. Due to some branding issues, since Havana (the eighth OpenStack release), this module has been renamed as Neutron.
Neutron allows you to create and manage virtual networking in an easy yet powerful way. It allows to have global networks that are valid for all users and managed by administrators and user networks that are usable and manageable by a single user. In the case of user networks, the network will be visible and usable only by that specific user.
Neutron does not only provide basic networking, but also provides advanced networking tools, such as floating IPs. Also, it provides an extension framework allowing the deployment and management of other network services such as Intrusion Detection Systems (IDS), load balancers, firewalls, and virtual private networks (VPN). For administrators, there is the possibility to use software-defined networking (SDN) technology such as OpenFlow to support multitenancy and horizontal scaling.
Neutron can be compared to Amazon's Amazon Virtual Private Cloud (VPC).
OpenStack Block Storage Service – Cinder
Cinder is a Block Storage for OpenStack. It has been included in OpenStack since Folsom (the sixth release of OpenStack).
Cinder is able to provide block-level storage devices to Nova. Cinder interface and its features are comparable to the block storage providers available in commercial SAN products, so any user is able to create, manage, and use their block storage devices. Cinder does support multiple backends, such as Ceph, GlusterFS, NFS, and multiple proprietary SAN systems.
Cinder can be compared to Amazon's Amazon Elastic Block Store (EBS).
OpenStack Orchestration – Heat
Heat has been a part of OpenStack since Havana (the eighth release of OpenStack). It can be used to orchestrate cloud applications using templates, and to automatically create machines on demand.
Heat can be used to create machines on demand from templates to allow an application to grow horizontally without any need for direct commands from the administrators.
To help the administrators that have to manage multiple infrastructure on OpenStack and Amazon, or are migrating the infrastructure from Amazon to OpenStack, Heat does support Amazon CloudFormation template syntax.
Heat can be compared to Amazon's Amazon CloudFormation.
OpenStack Telemetry – Ceilometer
Ceilometer has been added to OpenStack in Havana (the eighth release of OpenStack) with Heat, since they are complementary. In fact, Ceilometer provides data about the user's usage of resources, so as to be able to bill the people based on the actual resources used.
Ceilometer provides a single service that centralizes each service counter, so it's possible to export the usage data that will be needed to calculate the customer billing. All data available in Ceilometer are traceable and the whole process can be audited. Ceilometer data can also help companies using OpenStack in their private cloud to understand which processes and Business Units use more resources.
Ceilometer can be compared to Amazon's Amazon CloudWatch.
OpenStack Database Service – Trove
Trove is a database-as-a-service that is able to provide databases that are both relational and nonrelational. It has been added in Icehouse (the ninth release of OpenStack) and has been heavily improved in Juno (the tenth release of OpenStack).
Trove manages the database for the user, so it's capable of migrating a database from a machine to another or to scale the machine size based on the required resources. It also provides a RESTful API to communicate to the databases to completely abstract the database and its management. Also, the native interface of the chosen database is always available. Currently, it supports relational databases such as MySQL, NoSQL databases such as MongoDB, Cassandra, Redis, CouchDB, CouchBase, and in-memory databases such as MemCached and VoltDB.
Trove can be compared to Amazon's Amazon Relational Database Service (RDS), but Amazon's service only supports relational databases.
OpenStack Data Processing Service – Sahara
Sahara is a Hadoop-as-a-service system. It's very new; in fact, it has been added in Juno (the tenth release).
Sahara allows the user to create Hadoop clusters quickly and easily. It also allows the user to be fully in control of the clusters, being able to set a lot of settings such as Hadoop version, cluster topology, and node's hardware details. After the user completes this information, Sahara deploys the cluster in a few minutes.
Sahara also allows the user to launch and manage MapReduce jobs on the clusters that have created.
Sahara can be compared to Amazon's Amazon Elastic MapReduce (EMR).