Professional Documents
Culture Documents
Cloud and OpenStack Final Version PDF
Cloud and OpenStack Final Version PDF
Cloud and OpenStack Final Version PDF
Thc hi n:
Thng 4/2012
Page 1
Thng 4/2012
Page 3
Thng 4/2012
Page 4
Thng 4/2012
Page 5
in ton m my (cloud computing) hay cn gi l in ton my ch o ni cc tnh ton c nh hng dch v v pht trin da vo Inter net. C th hn, trong m hnh in ton m my, tt c cc ti nguyn, thng tin, v software u c chia s v cung cp cho cc my tnh, thit b, ngi dng di dng dch v trn nn tng mt h tng mng cng cng (thng l mng Internet) [1, 2]. Cc users s dng dch v nh c s d liu, website, lu tr, trong m hnh cloud computing khng cn quan tm n v tr a l cng nh cc thng tin khc ca h thng mng m my - in ton m my trong sut i vi ngi dng. Ngi dng cui truy cp v s dng cc ng dng m my thng qua cc ng dng nh trnh duyt web, cc ng dng mobile, hoc my tnh c nhn thng thng. Hiu nng s dng pha ngi dng cui c ci thin khi cc phn mm chuyn dng, cc c s d li u c lu tr v ci t trn h thng my ch o trong mi trng in ton m my trn nn ca data center.
Data center l thut ng ch khu vc ch server v cc thit b lu tr, bao gm ngun in v cc thit b khc nh rack, cables, c kh nng sn sng v n nh cao. Ngoi ra cn bao gm cc tiu ch khc nh: tnh module ha cao, kh nng m rng d dng, ngun v lm mt, h tr hp nht server v lu tr mt cao [3].
Hnh bn di m t mt nh ngha v CC bao gm 5 tnh nng chnh, vi 4 m hnh trin khai, v 3 m hnh dch v.
Thng 4/2012
Page 6
[4]
5 tnh nng trong CC ty thuc vo m hnh tri n khai thc t c th khc nhau. V d trong m hnh private cloud, ti nguyn c s dng b i ch 1 doanh nghip th tnh nng On- demand service hay resource pool s khc so v i cc m hnh khc.
o Rapid elasticity : nh cung c p CC d dng ch nh cng nh thu h i ti nguyn ngi dng r t nhanh chng. V pha ngi dng c php yu cu m t ti nguyn khng gii hn v ch vic chi tr theo tin. Broad network access: truy cp vo cc ti nguyn my tnh d dng thng qua cc c ch network tiu chu n. Measured service : provider m b o vic tnh to n lng tiu dng c a khch hng. M hnh hng n l pay as you go. On-demand self-service : cho php khch hng ty ch nh ti nguyn s dng m khng c n ph i thng bo hay qua b t k s can thip no c a provider. Resource pooling : cc lo i ti nguyn v t l v o ca CC c chia s vi nhau v t ng cp cho cc users.
o o o o
C 3 m hnh tri n khai in ton m my chnh l public (cng c ng), private (ring), v hybrid (lai gia m my cng cng v ring). m my cng c ng l m hnh m my m trn , cc nh cung cp m my cung cp cc d ch v nh ti nguyn, platform, hay cc ng d ng lu tr trn m my v public ra bn ngoi. Cc d ch v trn public cloud c th mi n ph ho c c ph [5]. m my ring th cc dch v c cung cp n i b v th ng l cc d ch v kinh doanh, mc ch nh m n cung cp d ch v cho mt nhm ngi v ng ng sau firewall. m my lai l mi trng m my m k t hp cung cp cc d ch v cng c ng v ring [5]. Ngoi ra cn c community cloud l m my gia cc nh cung cp d ch v m my. V m hnh cung cp d ch v c 3 lo i chnh l IaaS cung cp h tng nh mt server, PaaS cung cp Platform nh m t service, v SaaS cung cp software nh m t service.
Trn y l nh ngha ca NIST v CC, ph n tip theo s trnh by v cc l i ch c a CC nh m n i bt cc tnh nng so v i cc m hnh truy n th ng.
2. Nhng li ch ca in ton m my
C th k ra mt s li ch c bn v c trng ca h thng in ton m my nh sau [6]: Tng s linh hot ca h thng (Increased Flexibility) : khi cn thm hay bt mt hay vi thit b (storaged devices, servers, computers, ) ch cn mt vi giy. S dng ti nguyn theo yu cu (IT Resources on demand): ty thuc vo nhu cu ca khch hng m administrator setup cu hnh h thng cung cp cho khch h ng. Tng kh nng sn sng ca h thng (Increased availability) : cc ng dng v dch v c cn bng ng m bo tnh kh dng. Khi mt trong cc hardware b h hng khng lm nh hng n h thng, ch suy gim ti nguyn h thng. Tit kim phn cng (Hardware saving): m hnh truyn thng trong nhiu trng hp cn mt h thng ring bit cho mi tc v, dch v. iu ny gy ra lng ph,
Thng 4/2012
Page 7
Tm li, m hnh in ton m my khc phc c 2 yu im quan trng ca m hnh truyn thng v kh nng m rng (scalability) v linh hot (flexibility). Cc t chc cng nh cng ty c th trin khai ng dng v dch v nhanh chng, chi ph gim, v t ri ro [6]. Phn tip theo s gii thiu v o ha l cng ngh ct li v c xem nh l mt bc m chuyn tip t m hnh truyn thng sang CC.
3. Cc cng ngh o ha (Virtualization Technologies) 3.1. Kernel mode v User mode
Trc khi i vo chi tit cc cng ngh o ha xin c s lc mt s khi ni m lin quan n vic x l trn ti nguyn ph n cng c a mt h iu hnh. Thng th ng mt HH khi c ci t s c 2 modes hot ng chnh:
Kernel mode: y l khng gian c bo v ni m nhn ca HH x l v tng tc trc tip vi phn cng. M t v d in hnh cho Kernel mode l cc drivers ca thit b . Khi c s c th h thng ngng hot ng v thng bo li nh windows s hin th mn hnh xanh khi c l i giao tip phn cng. User mode: y l khng gian ni cc ng d ng ch y, v d Office, MySQL, hay Exchange server. Khi c s c cc ng d ng th ch c cc ng dng ngng hot ng m khng nh hng g n server.
Khi m t ng d ng c n truy cp vo ti nguyn ph n c ng, v d a c ng hay network interface, ng d ng cn giao tip v i driver thch hp ch y trong kernel mode. S chuy n i qua l i gia User mode v Kernel mode cng l nhng ti n trnh- process v cng chi m d ng ti nguyn h th ng (CPU, RAM, ).
3.2. Hypervisor
Hypervisor l mt ph n m m n m ngay trn ph n ph n cng hoc bn di HH nh m mc ch cung cp cc mi tr ng tch bit g i l cc phn vng partition. M i phn vng ng v i m i my o-VM c th chy cc HH c lp. Hin nay c 2 h ng tip c n hypervisor khc nhau (lo i 2 hypervisor VMM) v i tn g i: Monolithic v Micro hypervisor.
Thng 4/2012 Page 8
Monolithic hypervisor: hypervisor c driver ring bit truy cp ti nguyn phn cng bn di. Cc VMs truy c p ti nguyn h th ng thng qua drivers ca hypervisor. iu ny mang l i hiu su t cao, tuy nhin khi driver trn hypervisor b s c th c h thng ngng hot ng, ho c ph i i m t vi vn an ninh khi drivers c th b gi d ng b i malware, m t ri ro trong mi trng o ha. Micro-kernelized hypervisor: lo i hypervisor ny khng c driver bn trong hypervisor m ch y trc tip trn m i partition. M t VM s ng vai tr pa rtition cha qu n l v khi to cc partition con (VM con). VM cha cng bao g m nhiu tnh nng khc nh qun l memory, lu tr drivers, iu ny mang l i s an ton v tin c y. Tuy nhin n cng gp ph i vn v sn sng (availability) khi partition cha g p s c, h thng cng b ngng tr.
3.3. Full-virtualization:
Figure 3: Full-virtualization
Full- virtualization l cng ngh o ha cung cp 1 loi hnh my o di dng m phng ca 1 my ch tht vi y tt c cc tnh nng bao gm input/output operations, interrupts, memory access, Hnh 3 miu t m hnh o ha FullVirtualization vi layer Virtualization thc hin chc nng o ha, cung cp cc my ch o (Guest OS) [8]. Tuy nhin m hnh o ha ny khng th khai thc tt hiu nng khi phi thng qua mt trnh qun l my o (Virtual Machines monitor
Page 9
Thng 4/2012
Figure 4: Para-virtualization
Para-virtualization hay cn gi l o ha mt phn l k thut o ha c h tr v iu khin bi 1 hypervisor nhng cc Oss ca guest thc thi cc lnh khng phi thng qua Hypervisor (hay bt k 1 trnh qun l my o no) nn kh ng b hn ch v quyn hn. Tuy nhin nhc im ca loi o ha ny l cc OS bit ang chy trn 1 nn tng phn cng o v kh cu hnh ci t. o ha Para -Virtualization c h tr bi Xen, VMware, Hyper-V, v UML [9, 10].
OS level virtualization, cn g i l containers Virtualization hay Isolation: l phng php o ha m i cho php nhn c a h i u hnh h tr nhiu instances c cch ly da trn mt HH c s n cho nhi u users khc nhau, hay ni cch khc l t o v ch y c nhi u my o cch ly v an ton (secure) dng chung 1 HH. u i m c a o ha ny l bo tr nhanh chng nn c ng d ng rng ri trong cc lnh vc hosting. OpenVZ, Virtuozzo, Linux-VServer, Solaris Zones, v FreeBSD Jails h tr lo i o ha ny [9, 11]. Mt lu l lo i o ha Isolation ny ch t n ti trn HH Linux.
Nu o ha ch l cng ngh n n t ng c a CC th vic tri n khai CC trong thc t da vo 2 gii php c b n sau: s d ng cc s n phm thng mi cho CC nh ca VMware, Microsoft (Hyper-V), hoc cc s n ph m ngu n m nh Eucalyptus v OpenStack. Ph n k s trnh by v l i ch c a h ng tip c n tri n khai CC dng ngu n m.
Thng 4/2012
Page 10
Vi nhng li ch nu ca m hnh Cloud computing trong phn trc, c bit l v flexibility v cost benefits, y s l mt xu hng tip cn trong tng lai. Tuy nhin, c rt nhiu cng ngh cho in ton m my vi nhng chi ph v gii php khc nhau ty vo mc ch s dng v u im ca mi cng ngh nh d dng trin khai, kh nng m rng cao, gi r, S dng cng c m ngun m trin khai Cloud computing t c nhng u im sau [6]: S ph thuc vo cc ph n mm ng kn v b n quy n (Avoiding vendor lock- in): cc gii php thng mi th ng l 1 b gi i php v i cc tiu chu n c a nh s n xut ch ng hn cc APIs c trng, cc kiu nh dng image v lu tr ring, s lm cho cloud khng tng thch, hoc khng t n d ng c nhng c s h t ng s n c. Hoc cc m my vendor lock- in trong tng lai s i mt v i vn di chuy n (migration) mt s d ch v sang nhng h th ng cloud khc, s kh khn ny l mt h n ch. Getting best-of-breed technology: cc d n v open source cloud computing lun lun c h tr v gip b i cng ng ton th gi i vi hng ngn ng i tham gia pht tri n cc functions m i v sa l i bugs (fix bugs). L i th ny c a open source s khng th c c bt k mt cng ty n l no. Kh nng m r ng khng h n ch : chi ph l vn n i tr i trong vn m r ng mng cloud v i gi i php ph n m m b n quy n. Tuy nhin v i open source clouds, v d m ng clouds s d ng Ubuntu, h i u hnh Ubuntu h tr cloud computing hon ton mi n ph nn vic m r ng rt d dng. Aligning the cloud to specific business needs: khi gii php thng m i thi u mt chc nng g , s rt kh tm ra phng thc thay th tr khi ch mt phin b n mi hn h tr. Nhng v i k thu t open source c th thay i code thm cc chc nng ph hp cho mc ch kinh doanh ca h th ng.
Thng 4/2012
Page 11
Supported OS
Architecture
- Centralized - Three co mponents Minimu m two servers Java, Ruby and C++
- Centralized - Three co mponents - Min imu m t wo servers Python, java - GridFTP, Co mulus (new version of GridFTP) - SCP DHCP server installed on nodes - EC2 WS API - Nimbus WSRF
- Centralized - Three co mponents - Min imu m t wo servers Java, Ruby, C++, and python
language
Storage
Walrus
- SCP - SQLite3
VastSky
HDFS
OpenStack Store
Network
DHCP server on the cluster controller - EC2 WS API - Tools as: HybridFo x, ElasticFo x - Zip file that
Manual configuration
Open vSwitch Co mmand lines XE (Xen Center and Versiera (co mmercial solution for Windows) - Authentication
WSManagement
OpenStack Co mpute
Access interface
User
- Authentication
- X509 certificate
- Authentication
- Certification
Thng 4/2012
Page 12
- SSH connection XAPI Virtual mach ine states synchronization - Open Virtualizat ion Format - Shared Storage XCP Host Yes
- Authentication AbiServer
OpenStack Co mpute No
Thng 4/2012
Page 13
Eucalyptus l mt ph n m m ngu n m Linux- based tri n khai in ton m my v i c 2 lo i hnh private hay hybrid (private and public). Eucalyptus cung c p IaaS (Infrastructure as a Service) thu n ti n cho vic ch nh ti nguyn (ph n cng, dung l ng lu tr, v h t ng m ng) da trn yu c u s dng. i m m nh c a Eucalyptus l tri n khai enterprise data centers m khng c n qu nhi u yu c u v c u hnh ph n cng. Hn na, Eucalyptus h tr kt n i v i d ch v m my n i ti ng c a Amazon AWS (Amazone Web ServicesT M) thng qua mt giao di n lp trnh chung. Ki n trc c a Eucalyptus n gi n, linh hot (flexible), c module ha (Modular) v t c nhiu u im nh chc nng snapshot, self- service, [12].
2. OpenNebula
OpenNebula l b cng c ngu n m s dng cho private, public, v hybrid cloud. OpenNebula hot ng tng thc h v i cc gi i php c a Xen, KVM, VMWare, v mi y l Virtual Box [13, 14].
3. Nimbus
Nimbus l mt d n i n to n m my ca Culumbus cung cp d ch v IaaS (Infrastructure as a Service). Nimbus h tr tri n khai 2 lo i o ha l Xen v KVM [13].
4. Xen Cloud Platform (XCP)
XCP l mt platform ngu n m cho vic tri n khai o ha my ch v in ton m my trn n n t ng c a Xen Hypervisor. XCP h tr nhi u Guest OS bao g m windows v linux, h th ng mng v lu tr cng nh cc cng c qu n tr n m trong XCP appliance. XCP c ngu n gc t Citrix XenServer v c chng nh n b n quy n b i GNU General Public License (GPL2) [13, 15]
5. AbiCloud
AbiCloud l gii php in ton m my private c pht tri n b i Abiquo cho php ng i dng c th xy dng mi tr ng IaaS. AbiCloud h tr cc k thut o ha Virtual Box, VMWare, XEN, v KVM [13, 16].
6. OpenStack
OpenStack l 1 d n m cng ng cho vic pht trin in ton m my ph hp v i cc nh cung cp (Cloud Providers) cng nh ng i dng (Cloud Customers) c pht tri n b i Rackspace hosting v Nasa. OpenStack bao g m 3 d n chnh: OpenStack Compute ( tri n khai vic qu n l v ch nh ti nguyn cho cc instances o), OpenStack Object Storage (thc thi vic lu tr, backup), v OpenStack Image Service ( m nh n vic pht hin, ng k, truy n t i d ch v cho cc images disk o) [13]. Hin nay OpenStack ang c nh gi l ph n m m ngu n m xy d ng CC m nh nht hi n nay v i s h tr c a cc hng my tnh l n trn th gii nh HP, Canonical, IBM, Cisco, Microsoft, y cng l b cng c quan trng ang c tri n khai v s c trnh by chi tit trong cc ph n tip theo.
Thng 4/2012
Page 14
Thng 4/2012
Page 15
AWS v n ang lin t c nghin cu c i thi n v b sung nhng tnh nng m i cho tp cc dch v c a h. Do khun kh c a vic nghin c u th nghi m Openstack nn nhm s ch a ra m t s gi i thi u c bn v nh n xt v cc d ch v chnh c a Amazon. T y s c m t ci nhn trc quan hn v Openstack v c m t so snh v i ' i th' l n nht c a n. Sau y l m t s mc th i gian quan tr ng c a AWS: Nhng d ch v chnh c a AWS ph i k n l: Amazon Elastic Cloud Compute (EC2) cung cp cc instance (my o) ty theo nhu cu, v i kh nng tnh ton, m r ng v cng linh hot. Hi u n gi n, EC2 cung cp cho ng i dng kh nng to cc my o trn h t ng c a Amazon, h c th cp pht
Thng 4/2012 Page 16
Thng 4/2012
Page 17
Trong ph n gi i thi u v AWS trn, chng ta c b n n m c mt s chc nng m mt sn ph m thng m i hi n t i ang cung c p c cho khch hng, t ta c th so snh m t cch tng i gi a nh ng chc nng m gi cng c ngu n m ny thc hi n c. lm r thm l do l y AWS lm ' i chi u', xin c trch qua m t s mc quan tr ng d n t i s ra i c a Openstack. Tr l i mc 2005 khi m Amazon ra m t th nghi m EC2, l m t thnh cng l n gy bt ng cho c ng ng. V i s n nh c a n, cc cng ty khc c th n gi n thu EC2 trong m t vi gi v i m t mc nng lc r t rt l n thc hi n cc cng vic tnh ton c n t i hi u nng cao c a h. V d m Amazon th ng em ra so snh l vic hp tc gia h v NASDAQ - sn chng khon c n x l m t l ng d li u tnh ton cc l n vo cu i tu n, thay v u t m t h th ng my ch phc tp, h ch thu EC2 trong vi gi v chi ph tit ki m r t r t nhi u hn na hi u qu cng vic l i tt hn. Mt trong nhng cng ty c n s dng kh nng tnh ton hi u nng cao ki u nh th l NASA. H c k ho ch ti c u trc l i trung tm d li u c a h, v h c n mt n n t ng IaaS c th s dng t t hn h t ng vt l m h c. Amazon EC2 l mt t m gng tt ng ng ng m. Vo kho ng nm 2008 NASA b t u s d ng tham gia vo Eucalyptus m t d n nh m cung cp mt IaaS gi ng nh AWS (EC2 v S3). Tuy nhin khng nh mong mu n ca NASA, Eucalyptus khng ph i l mt d n m hon ton, cng ty u cho n khng cho php NASA xem mt s thnh ph n ng kn c a Eucalyptus. R n nt b t u t y. Sau NASA bt u nghin c u d n ring c a h cng v i mc ch xy dng m t h t ng nh Amazon EC2, v codename c a d n l Nebula. V i s tc ng t nhi u pha khc nhau, cu i cng vo nm 2010 NASA quy t nh cng b m ngu n c a Nebula v pht tri n n d i d ng ngu n m v i codename l Nova. Sau Rackspace tip t c ng ghp n n t ng lu tr c a h vo d n v i codename Swift. D n Openstack c thnh lp v i cam kt pht tri n theo h ng m. N nhanh chng nh n c s ng thu n t rt nhi u hng cng ngh khc v cng ng. Hi n nay c hn 160 cng ty tham gia vo d n ny v i h u h t cc tn tu i l n nh: NASA, Rackspace, Cisco, Citrix, Microsoft, HP, Dell, Canonical... Nh ni AWS chnh l ngu n c m h ng to nn Openstack ngy nay, AWS l n n t ng ng c a Amazon v Openstack l mt n n t ng m dnh cho t t c cc cng ty v c ng
Thng 4/2012 Page 18
Openstack c chu k pht tri n 6 thng, i cng v i s pht tri n c a CC, v i m i phin b n Openstack l i b sung thm thnh ph n m i tng ng v i nh ng chc nng m i. Openstack hon ton l ngu n m, cc thnh ph n c a n c vi t trn Python - ngn ng ang c nh gi r t cao nhng nm g n y.
2.1. Cc phin b n ca OpenStack
Austin 10/2010: l phin bn u tin c a OpenStack bao g m 2 projects l Object storage (cn g i l Swift) v Compute (cn g i l Nova). Project Compute trong phin b n ny ch mc testing v h n ch nhiu tnh nng khi tri n khai. Bexar 2/2011: tch hp 1 project mi l Image Service, ng th i c nhi u s thay i c i ti n trong Nova v Swift. Phin bn ny cho php lu tr files ln hn 5Gb v tch hp mt service mi swauth cho vic chng thc, th m quyn. ng th i c i ti n nhiu tnh nng trong API cng nh m r ng vic h tr cc hypervisors cho o ha. Cactus 4/2011: phin bn ny cng bao gm 3 projects nh Bexar, tuy nhin c s c i ti n API v h tr thm 2 cng ngh o ha LXC containers v VMware. Glance gi i thi u cng c command- line m i phc v vic truy cp d ch v, thm cc nh d ng image, v thm nh image m bo ton v n d li u (integrity). Diablo 11/2011: y l phin bn ang c s d ng th nghi m, cng c 3 projects chnh nh phin b n Cactus. Essex 4/2012: phin b n m i va ra i s th nghi m trong th i gian t i v i s h tr v nng cp 2 projects m i l Identity v Dashboard.
2.2. OpenStack Diablo Kin trc conceptual v logical
Thng 4/2012
Page 19
Trong th nghi m, nhm s d ng b n Openstack ra m t ngy 22/11/2011 m Diablo. Trong phin b n ny g m ba thnh ph n chnh:
Compute (tn m Nova) cung cp kh nng tnh ton vi nh ng instance - tng ng vi EC2 ca Amazon. Image Service (tn m Glance) lu tr cc file nh ca cc instance trc khi c 'bung' ra s d ng bi Nova - AWS cng c m t thnh ph n tng t qun l cc image tuy nhin v l n n t ng ng, nn thng tin chi tit v n khng c cng b r rng. Object Storage (tn m Swift) cung cp kh nng lu tr - tng ng vi S3.
Phin b n m i nh t c a Openstack ra m t ngy 05/04/2012 v i codename Essex, b sung thm hai thnh ph n m i l:
Dashboard (tn m Horizon) cung c p giao din web qun l Openstack. Identity (tn m Keystone) cung cp kh nng authentication v authorization cho cc d ch v c a Openstack.
Thng 4/2012
Page 20
M hnh ki n trc logic c a OpenStack c di n gii qua 3 chnh sau y: Ng i dng cui tng tc thng qua 1 giao di n web (Horizon) Tt c cc services u c ch ng thc thng qua Keystone Cc dch v c nhn ring bit tng tc vi nhau thng qua cc APIs tng ng.
Cng gi ng nh AWS, cc thnh ph n c a Openstack hot ng c lp, do v y c n ph i c m t ph n trung gian gia nh m trung chuy n, ng b th i gian, thng tin v ti nguyn cho c h th ng. Openstack hi n s d ng Rabbit queue message chuy n cc thng ip qua l i. Trong phin b n Diablo th nghi m hai thnh ph n Dashboard v Indentity cha ho t ng tt v i 3 thnh ph n Nova, Swift, Glance nn hi n nay v n cha th ci t chng hot ng ng.
Thng 4/2012 Page 21
y l ph n c b n nh t ca Openstack c chc nng i u khi n IaaS v phn ph i l i ti nguyn h th ng cho cc instance v i kh nng tnh ton lu tr c lp. N tng ng v i Amazon EC2. V c bn Nova cung cp cho ng i dng kh nng ch y cc instance (my o) v giao di n qu n l cc instance trn h t ng ph n cng. Tuy nhin Nova khng bao g m b t c ph n m m o ha no. Ci n lm l s dng l i cc hypervisor (do ng i dng ty ch n ci t) thc hi n vic o ha tnh ton. Ng i dng c th s d ng cc hypervisor khc nhau trong cc zone khc nhau. D i y l cc hypervisor m Nova hi n h tr :
Hyper-V 2008 KVM - Kernel-based Virtual Machine LXC - Linux Containers (through libvirt) QEMU - Quick EMUlator UML - User Mode Linux VMWare ESX/ESXi 4.1 update 1 Xen - XenServer 5.5, Xen Cloud Platform (XCP)
Cloud Controller - qu n l v tng tc vi t t c cc thnh ph n ca Nova API Server - ging nh m t Web service u cu i ca Cloud Controller Compute Controller - cung cp, qun l ti nguyn t cc instance. Object Store - cung cp kh nng lu tr, thnh ph n ny i cng vi Compute Controller Auth Manager - d ch v authentication v authorization Volume Controller - lu tr theo block-level - gi ng nh Amazon EBS Network Controller - to qun l cc kt n i trong virtual network cc server c th tng tc vi nhau v vi public network Scheduler - chn ra compute controller thch h p nh t lu instance.
Cc thnh ph n c a Nova ho t ng c lp, kt n i v i nhau b ng cc thng ip (messagebased architecture). Cc thnh ph n Compute Controller, Volume Controller, Network Controller v Object Store c th ci t trn cc server vt l khc nhau. Nh trong hnh trn c th th y Cloud Controller giao tip v i Object Store thng qua HTTP nhng giao tip v i Scheduler thng qua AMQP (Advanced Message Queue Protocol) trnh vic tc ngh n khi khi i cc thnh ph n ph n h i, Nova s d ng cc hm g i khng ng b (asynchronous), v i m t call-back c g i khi m response c nh n. Do c to thnh t nhi u thnh ph n khc nhau nn c mt s chc nng ang c xy dng l i, m t s chc nng b lp . i n hnh nh trong Nova, thnh ph n Object Store dng lu cc image (file nh c a cc h i u hnh o khi cha c ch y), ng thi Glance cng l ni lu tr cc image . Tuy nhin vic ny khng nh h ng g nhi u
Thng 4/2012 Page 23
Nova-network Thnh ph n ny tng tc v i nova-compute, c nhi m v k t n i gia cc instance v i nhau v cc instance v i public network. Cng gi ng nh AWS hay Eucalyptus mt instance trong Openstack c th c 2 IP. Mt private IP c dng k t n i gia cc instance v public IP c dng k t n i instance v i Internet (public network). nova-network c ba cch qu n l khc nhau: Flat Network: t o m t giao di n bridge da trn ethernet adapter giao tip gia cc node. Khi ch n c u hnh l Flat Network, Nova s khng qu n l cc thao tc v networking c a cc instance. n gi n lc IP s c gn cho cc instance thng qua file system. Cc metadata ph i c c u hnh th cng trn cc gateway n u l yu c u c a m ng n i b. Hnh sau y m t v cch c u hnh ny trn nhi u node khc nhau thng qua m t ethernet adapter:
Thng 4/2012
Page 24
Flat DHCP Networking: v i ki u c u hnh ny th host ch y nova- network s ng vai tr nh m t gateway cho cc virtual node.
VLAN Networking: l c u hnh mc nh c a nova. N cho php admin gn cc vng private network cho m i project. V instance c th c truy cp thng qua VPN t ngoi Internet. Trong ki u cu hnh ny, m i project s c mt VLAN ring, mt Linux networking bridge v subnet. Subnet c ch nh b i admin v c gn ng cho project khi c yu c u. Mt DHCP server c ch y qu n l cho m i VLAN gn IP cho m i instance trong vng subnet c gn cho project. Tt c cc instance thuc cng project c t trong mt VLAN ring.
2.1.2. OpenStack Object Storage
OpenStack Object Storage hay cn g i l Swift c Rackspace open-source t nm 2010, n chnh l cng ngh c s dng ng sau Rackspace's Cloud Files m t trong nhng gi i php lu tr thng m i rt tt hi n nay c nh tranh v i Amazon S3.
Thng 4/2012 Page 25
Figure 12: T ng quan OpenStack Object Storage Cc tnh nng ca OpenStack Object Storage [18]
Store and Manage files programmatically via API: qu n l file thng qua giao din API Create Public or Private containers Leverages Commodity hardware HDD/node failure agnostic: m b o khng m t d liu bng cc c ch backup v sao lu t ng Unlimited Storage: lu tr khng h n ch Multi-dimensional scalability (scale out architecture)
Thng 4/2012
Page 26
Cc thnh ph n chnh c miu t c th nh sau: Proxy Server - nh n cc request v ch ng thc user. Sau khi qu trnh ch ng thc hon t t, d li u s c chuy n trc tip t (hoc t i) user. Proxy server s khng ki m tra chng. Object Server - lu tr, qu n l cc i t ng c lu. Cc object s c lu theo dng binary cng v i metadata miu t v d li u . Container Server - lu tr thng tin v tr v danh sch cc object ang c lu bn Object Store.N khng bi t chnh xc object c lu u nhng n bit c th object c lu t i container no. D li u c lu mc nh trong mt CSDL Sqlite,
Thng 4/2012
Page 27
OpenStack Image Service (cn g i l Glance) cung cp cc tnh nng v discovery, ng k (registration), v v n chuy n (delivery) cc d ch v cho cc a images o. API c a OpenStack Image Service cung cp mt giao di n tiu chu n cho cc thng tin truy v n v cc a image o lu tr trong cc back-end, bao g m lun c OpenStack Object Storage. Clients c th ng k mt a image o v i cc d ch v c s n, thc hi n vic truy v n thng tin. Cc tnh nng hi n t i [19]:
Image-as-a-service Multi-format/container support Image status Scalable API Metadata Image Checksum Extensive Logging Integrated testing Back-end store options Version control CLI access Built-in Mgmt. utilities Drive auditing VNC Proxy through web browser
Nh gi i thi u Glance l mt trong nhng thnh ph n chnh c a Openstack, nhi m v c a n l lu v cung cp cc file nh c a cc my o (instance). Glance g m c ba ph n:
Thng 4/2012
Page 28
Glance API server - nh n cc hm g i API, tng t nh nova-api, n ch cc API request sau giao tip v i cc thnh ph n khc (glance-registry v image store) sau thc hi n cc cng vic c yu c u: truy v n, upload, delete image... Glance Registry server - lu v cung cp cc thng tin (metadata) v image (nh dng, ID, dung l ng...) M c nh s dng Sqlite lu cc metadata. Ngoi ra glance-registry lun nghe c ng 9191. Image Storage - lu tr cc file image Glance h tr mt s nh d ng sau:
Trong ph n th nghi m nhm cng s d ng ba thnh ph n Nova, Glance v Swift. V c b n cc file image c a instance s c upload ln Glance server, sau Nova s g i t i Glance v yu c u l y mt trong nh ng file image kh i to instance bn trong nova-compute. Nu c d li u c n lu ring (backup, d li u dng chung gia cc instance) th s c lu trn Swift. Ba thnh ph n ny c lp v i nhau, nhng c th kt hp v i nhau hot ng nh m t th th ng nht.
2.1.4. OpenStack Dashboard (Horizon) OpenStack Identity
Trong l n th nghi m ny v n cha hon thi n c vic ci t hai thnh ph n ny cng v i Nova, Glance, Swift. Trong phin b n Essex hy v ng hai thnh ph n ny s hot ng tt hn. Sau y l mt s thng tin c b n v Keystone v Dashboard. Keystone l thnh ph n ch ng thc, token, catalog v policy service cho t t c cc d ch v khc c a Openstack. N c tri n khai thng qua Identity API c a Openstack. Dashboard cung cp mt giao di n web nh m tng tc qu n l cc thnh ph n cn l i c a Openstack, n k t hp v i Keystone chng thc user. c pht tri n da trn Django framework. N cung cp mt giao di n tng t nh AWS management console.
Thng 4/2012
Page 30
M i trin khai CC c thc hi n trn m t server DELL T710 Ubuntu 11.10 server amd64 Cc thnh ph n c a Openstack c ci t repository c a Ubuntu, tng ng v i phin b n Diablo c a Openstack. Tt c cc thnh ph n Nova, Glance, Swift c ci t trn mt server duy nh t. Do v y mt s thnh ph n ph nh ng b th i gian gia cc node l khng c n thit (khng c n s dng ntp server)
Thm na ch c n s d ng m t adapter duy nh t cho vic c u hnh nova-network. Cc instance s c gn hai d i IP nh sau: Public IP dng k t n i cc instance ra Internet: 172.17.2.64/27 Private IP dng kt n i cc instnace v i nhau (mc nh lc kh i to s gn cho m i instance mt a ch): 10.0.0.0/22 32 32 Cc gi chnh s c ci t: Cc gi ph nh unzip gi i nn cc image, vnc v r t nhi u gi lin quan t i Python: python-software-properties memcached xfsprogs python-setuptools curl vncproxy unzip Chng ta s s d ng MySql server cho tt c cc d ch v: mysql-server Message queue server nh m chuy n cc thng ip gia cc thnh ph n c a Openstack: rabbitmq-server
Thng 4/2012 Page 31
Mc nh th Glance v Swift s s d ng Sqlite server lu cc metadata cng nh cc d li u lin quan, chng ti ch n MySql l mt CSDL kh ph bi n v quen thuc v i cc nhu cu s d ng bnh th ng hi n nay t i mi tr ng chng ti lm vic. Chng ti s s d ng ba d ch v l Nova, Glance v Swift do v y c n to 3 CSDL nova_db, glance_db, swift_db tng ng v i cc user: nova, glance, swift s d ng trong nhng c u hnh ph n sau.
** Ci t cc gi c b n nh unzip, rabbitmq-server, euca2tools...
Cc file c u hnh c a Glance s c lu trong /etc/glance/ chng ta s thay i m t s thng tin v d nh trong glance-registry.conf. V CSDL s dng lu tr t Sqlite sang MySql. Ngoi ra trong th nghi m ny, khng c n thit ph i chnh thm thng s no khc c a Glance.
** Ci t v c u hnh Nova
Cc file c u hnh c a Nova c lu t i /etc/nova/. Trong th nghi m ny n gi n ha, nhm s ch thay i thng s trong /etc/nova/nova.conf. y l ni lu cc c u hnh quan tr ng nht c a Nova nh thng tin v CSDL, ki u c u hnh nova- network... Cu hnh nova-network ch VLAN. Ch s d ng m t interface eth0 t server DELL nh m kt n i cc instance ra Internet v to VLAN cho m i project.
Thng 4/2012 Page 32
Nh ni trong ph n user v role trong Nova, chng ta s to m t user v i tn: testuser v sau s gn cho testuser quy n sysadmin. Tip chng ta to mt project tn testproject v gn n cho testuser v i ton quy n.
** T o cc chng ch (credential) access key.
V i m i project, Nova s cung cp cc ch ng ch v access key cho user nh m thc hi n vic ch ng thc. Cc thng tin quan tr ng nht n m trong file novarc. File ny c s dng to mt 'mi tr ng' v i nh ng tham s tr t i server m Nova c ci t. Gi s chng ta dng mt my client khc thc hi n cc truy v n trn Nova. Trn client ny chng ta cng ph i l y cc ch ng ch v access key ny v. T client ny c th d dng tng tc v 'ni chuy n' v i server ch y Nova. Chng ta c n m c ng 22 cho SSH service v c ng 80 cho HTTP service. Sau kh i ng l i t t c cc dch v c a Nova v Glance. Nu khng c l i th t by gi chng ta c th s dng Nova v Glance.
** Upload image v khi chy instance
Cc image c sn t cc server c a Ubuntu, Stackops... y cng l nhng file chu n m cc nh cung cp ny to s n cho ng i s d ng. Chng ta s c n ph i l y chng v v upload ln Glance (hoc nova object-store) V i m i instance chng ta cn gn cho n m t cp public/private key. M c ch l ng i dng c th s d ng chng ng nhp t i instance. Public key s c gn vo instace cn private key th ng i dng s lu l i ( l m t file .pem). T client ch c n s d ng private key tng ng v i instace b n c th SSH t i instance v thc hi n cc vic ci t thng qua dng l nh.
** Ci t v c u hnh Swift
Nh gi i thi u, m bo vic lu tr an ton v hi u qu, Swift lu mt object (d li u) trn nhi u zone khc nhau. th nghi m ny do chng ta ch c mt server nn t ng ch ng c ch ny khng m y hi u qu, nhng hy t ng t ng chng ta c nhi u server v xa hn na cc server n m t i cc v tr a l khc nhau. S an ton v d dng hn rt nhi u trong vic lu tr v c i thi n ch t l ng d ch v i v i ng i dng. th nghi m ny, nhm s dng m t phn vng a c ng khc Swift lu tr d li u trn . Nhm s to ra 4 server m ph ng cho vic lu tr object trn 4 node khc nhau. B n node ny t t nhin s cng IP nhng s s d ng cc c ng khc nhau cho t ng d ch v nh v y c th t m th i m ph ng c cch thc ho t ng c a Swift.
Thng 4/2012
Page 33
Thng 4/2012
Page 34
I. CSA
CSA l t chc phi chnh ph c thnh lp nm 2008 nh m mc ch nghin c u cc v n v security trong CC v i s hp tc c a rt nhi u cng ty l n trn th gii nh Microsoft, Google, IBM, VMware, Phin bn u tin ca CSA l 1.0 ra i thng 4/2009, sau l phin bn 2.1 ra i thng 12 cng nm v i nhng nguy c security c thm mi nh Information Lifecycle Management v Storage. Hin nay CSA ang phin bn 3.0 v i mt s c i ti n v m r ng, ch ng h n Security as a Service. Cc tiu chnh nh gi ca CSA u da trn cc nghin cu v c thm nh trong gi i hc thut (peer- review) trc khi c cng b thnh cc phin b n. Ph n ny s tm lc cc yu c u v security m CSA a ra c m t ci nhn v lnh vc r ng l n security trong CC. CSA chia cc yu c u v security ra 2 ph n chnh v i cc vn nh sau:
1. Qun l trong CC (5 phn)
Ngoi ra cn c n i dung v SLA c xem nh l cc quy nh m bo mc an ton v s n sng c a h thng i vi ng i dng, ty chi ph m SLA c th cao hay thp.
2. Ho t ng trong CC (8 phn) Traditional Security, Business Continuity, and Disaster Recovery : CC cng phi i m t vi cc him h a an ninh nh cc h th ng truyn thng khc cng nh vn back-up h th ng v recovery khi c s c x y ra. Data Center Operations : m b o s hot ng c a Data Center v i y cc tnh nng ng th i vi n nh cao v lu di. Incident Response : kim sot, bo hiu trong vic x y ra cc s c . Application security Thng 4/2012 Page 35
Phn ny tm lc cc tnh nng lin quan n security trong cloud c CSA khuy n co khi mu n tri n khai CC. Ph n k s cng ch nhng c khuy n ngh b i NIST.
II. NIST
NIST National Institute of Standards and Technology khuy n ngh 1 guidelines honh chnh cho security v privacy trong CC vo thng 12/2011. M c ch ca NIST l cung cp m t ci nhn t ng quan v CC v cc thch thc bo m t trong CC [21]. Cc vn c NIST a ra l:
Governance Compliance Trust: cc vn v data ownweship, Insider Access, hay Risk management Architecture: thit lp b o v cho cc my o (VM), m ng o (Virtual Network), pha ngi dng v pha server. Identity and Access Management: th c thi Authentication v Access control Software Isolation Data Protection Availability: bo v ch ng l i cc m i nguy h i lin quan n s n sng c a h thng nh DoS, outages ( m b o h th ng in, ngun). Incident Response
Nhn chung, cc tiu ch c a NIST v CSA kh gi ng nhau khi gn nh r sot ton b cc yu cu m bo cho m t h th ng an ton, v d v m bo ch ng thc v quy n truy cp (authentication v access control), hay cc ph n ng khi c s c, cng nh software/application security, V cc gi i php v cc khuy n ngh (recommendation) c th c a CSA hay NIST s c trnh by trong ph n IV.
Thng 4/2012
c th c a mng m my v i nhi u lo i hnh khch hng khc nhau t ng i dng ph thng (ordinary users), gi i nghin c u (academia) hay cc doanh nghip kinh doanh (enterprise). S t l nghch gia security v performance lun l vn c n phi t ra v gi i quyt n u mun m bo 1 h thng m my an ton vi hi u sut cao. Tuy nhin v i cc lo i hnh khch hng khc nhau, nhu c u cng khc nhau. Ch ng h n v i khch hng enterprise, nhu c u v security c u tin hng u trn c performance trong khi gi i academia u tin vn hi u sut cao. V b n cht, cloud computing cng l m t mi tr ng mng public nh cc m ng truy n th ng nn v n phi i m t v i cc vn an ninh c bn nh cc l h ng c a web application (SQL injection hay Cross-site scripting), DNS poisoning hay ARP poisoning, Tuy nhin, vn v security trong cloud computing t tr ng tm vo vic nh gi qua Information Security Policies cc chnh sch bo v thng tin v Cloud RAS (reliability, availability, and security) issues cc nguy h i v an ninh gp phi trong c th mi tr ng cloud.
1. Information Security Policies
S pht tri n ca cloud n mc no i h i ph i c s kt hp gia cc nh cung cp cloud vi ngi dng pht tri n cc ng d ng. Vic chia s ny ng ngha v i vic gia tng cc m i hi m ha bo mt v i h i nhi u thch thc trong vic qu n l bo m t cho i ng IT. Cc nguy c ti m n m i trong m ng cloud c th k n:
2.1. Data Leakage
Khi chuyn h ng sang m hnh cloud s c 2 s thay i l n v mt d li u c a ng i dng cn c quan tm st sao: d li u s c lu tr cch xa ng i dng,
Page 37
Thng 4/2012
B n ch t c a cloud provider cng l s truy n thng trn Internet s d ng giao thc TCP/IP m trong cc user c nh danh b i a ch IP. Cng ging nh m ng thu n vt l, m i my o trn Internet cng c nh danh b ng t nht 1 a ch IP m c th d dng tm th y b i ngi dng hay attackers. Tng t nh my v t l, attackers c th xm nhp t my o qua my ch vt l. Attacks in cloud: ngy nay c r t nhi u lo i hnh t n cng m ng, v v l thuyt, t t c cc lo i hnh c th c p dng e da cloud ty thuc mc khc nhau. Ch ng h n khi 2 users trong cng m ng cloud s d ng my o, c th xem nh 2 my vt l chung 1 network. DDoS attacks against Cloud: t n cng DDoS l ki u t n cng v i s l ng l n gi tin IP n 1 m ng nht nh v i mc ch lm ngng tr ton b h th ng mng . V i c i m r t nhiu ng i dng trong 1 mng in ton m my, s nguy h i n u h th ng b ngng tr l r t ln hn trong m hnh kin trc n i m [5]. Ph n l n cc m ng khng th no bo v ch ng l i t n cng DDoS bi v lng traffic v t hng ngn, vn my trn internet, ng thi cng rt kh phn bit bad traffic v good traffic. H th ng IPS r t h u hiu ngn chn DDoS nhng v i cc ki u t n cng c nh n d ng ho c v i cc gi tin, t p tin nhim c c lu tr (preexisting signature). Tuy nhin v i nh ng gi tin hp l mang n i dung x u vn c cho qua. Gii php firewall cng khng cn hu hi u v i DDoS khi cc gi tin bypass firewall cn d dng hn IDS/IPS [5].
Thi t lp 1 c ch i u khi n vic truy cp l rt c n thit cho vic an ton thng tin ngn ch n vi c truy xu t tri php. V d vic ch nh quy n h n cho user s d ng cc d li u v d ch v. Mt lu cho c ch ny l ph i bao trm t t c cc qu trnh c a 1 user t khi m i bt u kh i to (initial registration) cho n khi k t thc l khng truy c p vo h th ng v d ch v na(de-registration). Theo tiu chu n c a Information Technology Infrastructure Library (ITIL) v ISO 27001/27002 v bo m t, m t h thng Security management phi m bo cc chc nng sau [24]:
Control access to information: truy c p vo thng tin Manage user access rights : qu n l quy n hn ngi dng Encourage good access practices Control access to network services. Control access to operating systems. Control access to applications and systems Page 38
Thng 4/2012
Mt trong nhng i m quan tr ng c a cloud security l tm ra cc vn v l h ng b o mt tn ti, sau tri n khai cc bi n php thch hp i ph. Nhn chung, h th ng cloud c xy dng trn m t b nhiu engines lu tr v i kh nng h tr high availability p ng c vic backup qua l i cho cc server o v th t n u c s c xy ra. t c linh ho t, kh nng m r ng v hi u su t s d ng, cloud providers phi i m t v i nh ng vn trong vic phn tch v tnh ton phn b hp l ti nguyn cho cc cng vi c tnh ton khc nhau.
Partitioning : m t v d khi mu n nng cao hiu su t tnh ton ca cc ng d ng trn cloud l chia d liu ra nhiu partitions th c hin tnh ton trn nhiu nodes nh m mc ch tng hiu su t c a cc query v transaction. V th , cc kt qu c tnh ton r t nhanh chng v tr v. Migration: S linh ho t l m t trong nh ng yu cu chnh c a cloud, trong ng cnh cung cp cc d ch v cloud cn linh ho t trong vic s d ng ti nguyn. V d ti nguyn ph i c dnh ring cho cc hot ng cn thit v quan tr ng nht. Chnh iu ny lm cho vic qu t i ca cc node trong cloud khng x y ra khi c s di chuyn (migration) ca h th ng, c bit l h th ng CSDL ln, c bit vn m b o duy tr hot ng c a h th ng khi migration x y ra. Workload analysis and allocation
Ngoi ra cn tnh n cc gi i php disaster recovery khi c cc s c bt ng xy ra nh thin tai, l lt, chy n,
3. DDoS
Nh trnh by, v i cc h thng c y Firewall v IDS/IPS v n c th b t n cng DDoS. Tuy nhin, n u v i mt h t ng mng m nh v n c th chu c vi lu l ng
Thng 4/2012 Page 39
Vic tri n khai keystone hin nay cha thnh cng nn mc nh gi cha chnh xc. Nhng cc chc nng security trong keystone s m bo an ton cho vic tri n khai mt IaaS.
Thng 4/2012
Page 40
Thng 4/2012
Page 42
Thng 4/2012
Page 43
2. 3. 4.
5. 6.
7.
13.
23. 24.
Thng 4/2012
Page 44
Thng 4/2012
Page 45